Chipotle Breach Exposes Continued Point-of-Sale Cyber-Security Risks

NEWS ANALYSIS: Chipotle is the latest victim of Point-of-Sale malware that steals credit card information, demonstrating the continued risks that face retailers.

PoS malware

Restaurant chain Chipotle Mexican Grill is the latest to reveal that its payment card systems were breached, exposing users to cyber-crime risks.

Chipotle first began to investigate the possibility of a Point-of-Sale (PoS) breach on April 25 and has now confirmed that many of its restaurants were in fact exploited by PoS malware between March 24 and April 18.

"The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device," Chipotle wrote in a security advisory. "There is no indication that other customer information was affected."

Chipotle has not publicly identified the specific strain of PoS malware that infected its systems, though it has stated that the malware has been removed. Chipotle has also stated that it is working with undisclosed cyber-security firms to help improve the company's security.

The incident at Chipotle is far from unique and follows a series of restaurant and retail breaches that have occurred in recent years. Thus far in 2017 restaurant chain Arbys disclosed a breach in February and retailer Brooks Brothers reported a breach in May.

PoS Is Inviting Target

PoS security incidents have been occurring on seemingly regular basis since at least December 2013 when retailer Target first disclosed that its systems were breached. After the Target breach there was increased scrutiny over PoS security as the retail chain tried to determine the root cause.  

Though the Target breach should have served as a wake-up call to other retailers, other big name store chains also fell victim to PoS security incidents including Home Depot, which revealed a breach in September 2014.  Among the major sources of retail breaches in 2014 was a malware family known as Backoff, which the U.S Secret Service reported had infected more than 600 businesses.

Retail and restaurant chains that handle credit cards are supposed to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS), yet despite that compliance, breaches are still regularly reported. PCI-DSS defines best practices and operational procedures that are intended to help to keep payment card data secure.

Despite the fact that the cause of PoS breaches have been examined and debated since at least 2014 and the fact that PCI-DSS compliance should limit the risk of breaches, incidents like the one at Chipotle, continue to occur.

Though it is possible that some retail and restaurant PoS breaches involved zero-day malware, it's more likely that the malware was already known, but perhaps just not yet patched by the victim. Having patched software is important to limit the risk of PoS malware, but so too are having multiple layers of monitoring in place.

Just because malware gets onto a system, doesn't mean that data has to get out. A Data Loss Prevention (DLP) type of technology platform can be used to further limit data loss risks. Watching administrative user credentials and activity for potentially malicious activity is another good best practice to help harden cyber-security defenses.

The simple truth is that PoS malware is not new and the way PoS malware infiltrates a system and exfiltrates data is well understood by the cyber-security profession. Not every retailer however understands PoS attacks, or takes all the necessary steps to limit risks, which is why new PoS breaches  will continue to occur in the months ahead.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.