Georgia-Based Restaurant Chain Data Breach Impacts 100 Locations


A fast food restaurant chain known for its spicy buffalo wings and hand-breaded chicken fingers has announced a data security breach affecting at least 100 of the company's locations.

Zaxby's Franchising, Inc. said it found malware on the systems of many of its restaurants after it was notified of potential fraudulent activity at dozens of its restaurant locations. In a statement issued Tuesday, the company said it has notified law enforcement and believes the attacks originated from outside the restaurant chain.

"We've engaged a security firm, and the investigation is ongoing, so a lot of this information is very preliminary," said Blake Bailey, chief financial officer for Zaxby's, in an interview with CRN. "We wanted to be proactive, honor the guest relationship and be transparent by letting people know that this issue is out there."

[Related: Data breaches Show That Response Matters]

Bailey said the firm was notified Nov. 9 by one of its credit card processors of potential fraud emanating from some of its restaurant chains. The malware was not directly on the point-of-sale systems at the restaurant locations but on the hard drives on computers in the restaurants, Bailey said.

"We don't know with certainty when the files appeared, so it's preliminary in a sense that we want to take an abundance of caution," Bailey said adding that the credit card processors are working with the impacted restaurants.

Restaurant and hotel chains are among the most impacted industries, according to the 2012 Verizon Data Breach Investigations Report. The study, which analyzed more than 800 breaches and making up 174 million compromised records, found that restaurant franchises were a very attractive target for financially motivated cybercriminals. Smaller businesses typically have little or no IT staff and few safeguards in place to protect against external attacks. The problem, according to Verizon, are point-of-sale systems that use default or weak administrative passwords and poorly configured firewalls.

Tom Cross, director of security research at network monitoring firm Lancope said PCI compliance is not foolproof. Organizations that meet the minimum standard need to maintain it, he said. "A computer at a business used to process large numbers of credit card transactions is a gold mine for such an attacker," he said.

Bailey added that the computers in the Zaxby's restaurants were connected to the Internet, but that each restaurant was not storing credit card data. All the data was encrypted before being sent to the processor, he said.

The Athens, Ga.-based chain said a computer forensics team discovered malware on the computer systems at certain locations. "Zaxby’s Franchising, Inc. is working with all of its store locations to implement additional security measures to prevent further intrusions," the company said in a statement.

The company has identified about 100 locations that may have been impacted and is urging people that have visited the locations to check their banking statements for suspicious activity.

Founded in 1990, Zaxby's operates in more than 560 locations in 13 states, including Alabama, Arkansas, Florida, Georgia, Indiana, Kentucky, Louisiana, Mississippi, North Carolina, South Carolina, Tennessee, Texas and Virginia.

PUBLISHED JAN. 15, 2013