Bad actors are selling access to 3 million Dickey’s Barbecue Pit customer credit cards, cyber-security researchers disclosed earlier this week.
On October 12, the dark web marketplace known as Joker’s Stash uploaded a collection of millions of compromised credit cards, most of them belonging to US-based customers.
According to Gemini Advisory researchers, who analyzed the data, the data appears to have originated from compromised point-of-sale (POS) systems used at Dickey’s restaurants.
A Gemini analysis indicates that 156 out of 456 current Dickey’s Barbecue Pit locations were compromised in the breach. Specifically, locations across 30 states, “with the highest exposure in California and Arizona.”
“Gemini sources have also determined that the payment transactions were processed via the outdated magstripe method, which is prone to malware attacks,” the report said. “It remains unclear if the affected restaurants were using outdated terminals or if the EMV terminals were misconfigured; either of these possibilities may hold serious liability for Dickey’s.”
The company also established the exposure window between July 2019 and August 2020, giving cybercriminals 10 months to steal payment records.
While Dickey’s has yet to release an official report, the company said it has started an investigation with the FBI.
“We received a report indicating that a payment card security incident may have occurred,” Dickey’s said. “We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway.
“We are currently focused on determining the locations affected and time frames involved,” the company added. “We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks.”