Expert Commentary: 3 Million Credit Cards From Dickey’s BBQ Customers Sold on Dark Web
Last week, Dickey's BBQ confirmed a data breach. The cybercriminals posted 3 million credit card details on Joker’s Stash underground marketplace. Exposure window was indicated to be between July 2019 and August 2020 -- from 156 of these locations across 30 states -- of the total 469 locations across 42 states. In a statement to ThreatPost, Dickey's had this to say:
“We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.”
Saryu Nayyar, CEO, Gurucul had this to say about the incident:
“The Credit Card dump of Dickey's BBQ customers’ cards highlights a number of issues. The first is a lack of consistency and enforcement in PoS terminal operations. The fact that we are still seeing mag-stripe based data, when chipped cards have been ubiquitous for years, indicates that many retailers have not taken card security seriously. The second issue is the apparent fact that this breach was ongoing for more than a year.
“Organizations need to do more, and quickly, to prevent this kind of theft. They need to deploy the latest PoS equipment, even at small franchise locations, and have an up to date security stack, including behavioral analytics, that can detect a breach long before three million customer credit card numbers wind up for sale on the dark web. This was most likely entirely preventable.”