payment card

On the Dark Web marketplace, Gemini Advisory says, a data collection of millions of payment card documents allegedly stolen from US-based restaurant chain Dickey’s Barbecue Pit has surfaced.

The details, posted on the underground marketplace of the Joker’s Stash, appears to have been obtained from over a hundred compromised locations. The data seems to come from 35 US states and some European and Asian nations.

The BLAZINGSUN data collection reportedly comprises 3 million payment documents, with an estimated price of $17 per card.

There are 469 outlets operated under the Dickey’s Barbecue Pit franchise in 42 states, each of which has approval to use the type of point-of – sale (POS) system they want, as well as their chosen processors.

The details that appeared on Joker’s Stash, according to Gemini Advisory, indicates that 156 Dickey locations in 30 states might have been hacked. Between July 2019 and August 2020, the data was allegedly harvested.

Dickey’s runs under a franchise model that also requires each location to decide the type of system and processors they use for point-of-sale (POS). However, the damage could be attributed to a violation of the single central processor, which was leveraged by over a quarter of all Dickey’s places, considering the widespread existence of the breach,’ says Gemini Advisory.

The security company also reports that the exposure by location does not exactly correspond with the spread of the restaurant across states, but the exposure is roughly representative of the overall spread, with the exception of Texas, which hosts 123 restaurant locations but only three compromised locations.

Gemini also notes that payment transfers were conducted using the magstripe system in this infringement, which is obsolete and vulnerable to attacks. It’s unknown, though, whether the affected restaurants used redundant or misconfigured terminals.

“The documents from Dickey’s will likely continue to be applied to this marketplace for several months, based on past big breaches of Joker’s Stash,” the security company says.

The restaurant chain confirms it is mindful of a potential breach of data and an investigation has been initiated.

We received a warning stating that there may have been a security breach involving a payment card. We took this breach very seriously and our action plan was launched promptly and an investigation is ongoing. We are now focusing on identifying the affected sites and time periods involved. We use the expertise of third parties who have assisted other restaurants to resolve similar concerns.