Nowadays, you can’t even order a sandwich and not be at risk of your credit card data getting into the wrong hands. On January 11, 2018, Jason’s Deli, a popular restaurant chain – with great custom-made sandwiches, I might add – reported a data breach affecting 164 restaurants in 14 states and approximately 2 million payment card details. The hacker(s) didn’t just get the card numbers (PAN), but also the customer names, expiration dates, and cardholder validation values (CVV). Ugh…
Initial reports say criminals installed RAM-scraping malware on a number of point-of-sale (POS) terminals at various restaurants starting on June 8, 2017. Jason’s Deli didn’t initially discover it, but on December 22 – more than six months later, they were informed by payment processors that a large number of payment card info appeared on the DarkWeb, seemingly indicating that the data came from their restaurants.
After investigating this further (with the help of a third party forensics team), the response team verified that malware was present on POS terminals and was able to disable the malware on all locations infected.
Data Breach Fatigue Turns into Data Breach Déjà-vu!
Oh by the way, Jason’s Deli also experienced a data breach almost eight years ago, which also happened as a result of POS terminal malware. Oh no, not again!
The big question is – what kind of data security has been implemented since the 2010 breach and why wasn’t it effective? Was any kind of end-point security enabled, like P2PE (point-to-point encryption)? What does Jason’s Deli use for intrusion detection because apparently for almost seven months, no one knew the malware existed on terminals at 164 restaurants! (I realize that’s four questions, but hey…)
The bigger question is – why hasn’t Jason’s Deli invested in any kind of data-centric protection? The kind that works with point-of-sale terminals and works with P2PE if they have it to ensure that card details are protected at the end-point while the card details are transmitted to the payments processor (in-house or external) and when the card details are stored for settlement processing or for other business directives (i.e. marketing, loyalty programs, big data analysis) – We at comforte strongly suggest tokenization to achieve this level of protection.
I’m going to talk with our Account Team because we need to get out to Beaumont, Texas, the HQ of Jason’s Deli, and talk to them about improving their cyber security posture. Jason’s Deli, and thousands of other companies as well, need to shift their strategies and focus on the data itself! It doesn’t matter how many layers of security they have, something isn’t working and data breaches are still happening!
Protect the Data itself with Tokenization
Tokenize the card holder data (PCI DSS refers to this as “CHD”) so that if it does appear on the DarkWeb, it has no exploitable value – it’s meaningless! With tokenization, cardholder names are not names, credit card numbers aren’t valid, dates don’t match the original card, and CVVs are bogus! All of those data elements can be tokenized in order to keep the original card holder data out of the hands of hackers and criminals.
The sandwiches at Jason’s Deli are too good for a data breach to happen a third time! It may force me to use cash! Oh no! If you’re reading this, and you’re not sure what your company is using to protect the data itself, check us out – www.comforte.com/dataprotection. We also completed a 50-minute webinar recently, going into detail about deployment and implementation options, which may bring light to how data protection with tokenization can work in your Enterprise.