It’s the conversation that no business owner wants to have with one of its customers: “my credit card has some mysterious charges on it, and I believe that they stem from your business.” That’s exactly what happened to Blanca Aldaco, owner of Aldaco’s Mexican Cuisine
at Stone Oak in San Antonio, Texas.
“I remember everything just like it happened today,” says Aldaco, as she recalls the day when a customer came into the restaurant to inform her of some unauthorized charges to his card. “I listened to his speak and then I asked him, ‘what makes you think it came from here?’ And he said, ‘well this is the only place that I used this card.” By noon on the following Saturday, the restaurant had received three similar calls from customers. “By Sunday, we had probably 70 calls,” says Aldaco.
When the Secret Service and the police department showed up at the restaurant that Wednesday morning, Aldaco was already hearing of charges from as far away as Turkey and Ireland. “It was global; it wasn’t just in the United States,” she says. In the United States, the majority of the stolen card numbers were being used at Walmart and Target.
When all was said and done, roughly 5,100 credit cards were compromised (although not all of them had fraudulent charges), as a result of an overseas hacker who infiltrated the restaurant’s network with a sophisticated malware between March 21 and May 17, 2010. “Basically what they did was install a malware memory dumper, so every time we swiped, it was going into an imaginary pocket and it would stay there until they extracted it,” says Aldaco.
It's up to the VARs and solution providers that resell and install the payment processing technology to explain to their customers why it's imperative that all components involved with a transaction meet the guidelines laid out by the Payment Card Industry or face potential fines in the tens of thousands of dollars—not to mention a public relations nightmare.
Aldaco related the frustration that she felt about not knowing enough about PCI. “There is no education, nobody tells you about this until it explodes in your face,” she says. “Make sure that you don’t have any stored data, call your POS seller and make sure that you are up-to-date. And if you are lucky enough to have an IT guy, get going.”
"We as an industry, have an opportunity to create better educational tools that can help the small to mid-sized merchants understand the importance and process of protecting cardholder data from the start,” stated Henry Helgeson, co-CEO of Merchant Warehouse in a November interview. “Educating both merchants and partners on why PCI-DSS compliance is good for business and how to easily achieve it is the first step toward achieving more compliance. The second step is to advise merchants to use secure, PA-DSS certified payment processing solutions that can help them achieve and maintain PCI compliance with minimal additional costs or paperwork.”
Although Aldaco’s brush with a data breach was frustrating for the restaurant’s management staff and its patrons alike, their story is not anything new to retail. The industry has long been a victim of data breaches for a number of reasons. Here are seven other organizations that suffered the same fate as Aldaco’s last year:
Wyndham Hotels & Resorts: In February 2010, Wyndham Hotels & Resorts issued an open letter to their guests informing them that certain Wyndham brand-franchised and managed hotel computer systems had been compromised by a hacker, resulting in the unauthorized acquisition of customer names and credit card information. The hacker was able to infiltrate central network connections to move information to an off-site URL before the hotel company discovered the intrusion in late January 2010. The breach was believed to have occurred between late October 2009 and January 2010.
Julie’s Place: This Tallahassee eatery was identified by the Leon County Sherriff’s Office Financial Crimes Unit as the source of card compromises for more than 100 consumer accounts over the summer of 2010. It is estimated that the incident resulted in $200,000 is fraud losses. According to BankInformationSecurity.com
, the hackers targeted the restaurant’s point of sale system, somewhere between the network and the restaurant’s processor.
Destination Hotels & Resorts: Back in June, Destination Hotels & Resorts reported that the credit cards of guests who stayed at 21 of the company’s hotels may have been compromised. In a press release
, the company said that it uncovered a malicious software program that was inserted into its credit card system from a remote source, affecting only credit cards that were physically swiped.
HEI Hospitality: In September 2010, HEI Hospitality, owner and operator of a number of Marriott-branded and Starwood Hotels & Resorts, informed the New Hampshire Attorney General’s Office and its customers of a compromise to its IT systems, occurring from March 25-April 17. HEI sent letters to some 3,400 customers, informing them that their credit cards may have been compromised. According to DataBreaches.net
, the firm informed customers that they believed that the point of sale system used in a number of its hotels’ restaurants, bars, and gift shops, as well s the information management system used at check-in, were illegally accessed and transaction were intercepted.
Taco Bell:In late September, The Grand Rapids Press
reported on a credit card skimming scheme that that involved Taco Bell employees and two other individuals, Rodger Torres and Onil Rivas-Perez. Police say that the men used the card numbers to purchase pre-paid Visa gift card from three Meijer stores.
Broadway Grill: More than 1,000 credit and debit cards may have been compromised in an attack that occurred in late October on the Seattle Capitol Hill area restaurant, Broadway Grill. Officials say that the credit card data was stolen on October 22, and that the forensic trail leads overseas. The hacker, who was able to access the restaurant’s point of sale system.
McDonald’s: In early December, McDonald’s said that some of its customers may have been exposed during a data security breach when a hacker gained access to a third-party-managed database containing customer information, including: e-mail, phone numbers, addresses, birthdays and more. According to the company’s website, customers’ credit card information and Social Security numbers were not compromised.