Checkers Drive-In Restaurants says hackers compromised payment machines at more than 100 of the fast-food company’s locations, providing the latest example of how buying a drive-through cheeseburger can come with the risk of a data breach.
Point-of-sale malware was lurking at 102 of Checkers and Rally’s locations in 20 states, the Florida-based company said in a bulletin Wednesday. Thieves collected data stored on magnetic card strips, including cardholders names, payment card numbers, card verification codes and expiration dates — everything they would need to steal to conduct their own transactions or re-sell that data on cybercriminal forums.
The exposure period for many of the affected stores ended in April, though some locations were vulnerable dating back to 2016 or 2015, in the case of one California restaurant. The company did not specify the number of customers affected.
Checkers didn’t offer many details about the hack, but the almost non-stop breach disclosures from similar targets reveals how cybercriminals are exploiting insecure corporate systems to make off with customers’ cash.
Texas-based Taco Bueno in February said that roughly 150 of its restaurants may have been hit by thieves who have unauthorized access to data from payment cards over a five-month period last year. A similar breach affected Earl Enterprises, parent company of Planet Hollywood and Buca di Beppo, with Krebs On Security pegging the number of customers affected at roughly 2 million. Last year the Pacific Northwest chain Burgerville was a target, and the Chili’s chain also disclosed a breach.
The criminal business model is simple: Steal as many credit cards as you can then use the number before a bank can deactivate them. But stopping the thieves has proven to be anything but easy.
While these fast food breaches have occurred on physical payment machines, the most notorious group of card thieves, known as Magecart, has pilfered data from dozens of online checkout sites including British Airways, BevMo and OXO, the housewares giant. The scammers, which operate in a number of groups, have stolen data from thousands of sites, quietly siphoning data with by inserting malicious commands into restaurants’ and retailers’ supply chains. And now, other groups are starting to imitate their tactics.