Chick-fil-A Confirms Breach Investigation
In a prepared statement Wednesday, national fast food chain Chick-fil-A confirmed that it received reports of “potential unusual activity involving payment cards at a few of its restaurants.”
“We take our obligation to protect customers’ information seriously, and we are working with leading IT security firms, law enforcement and our payment industry contacts to determine all of the facts,” the Atlanta-based company said in a prepared statement.
The company said it received the first report of a potential breach on Dec. 19 and launched an investigation.
“If the investigation reveals that a breach has occurred, customers will not be liable for any fraudulent charges to their accounts --- any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card,” Chick-fil-A said in a statement. “If our customers are impacted, we will arrange for free identity protection services, including credit monitoring.”
The company did not report how many restaurants or which locations were involved in the possible breach.
Brian Krebs, a security news and investigation blogger, reported an anonymous banking source said that “Chick-fil-A locations across the country were impacted, but that the bulk of the fraud seemed concentrated at locations in Georgia, Maryland, Pennsylvania, Texas and Virginia.”
Krebs also reported that he first began “hearing from banks about possible compromised payment systems at Chick-fil-A restaurant in November, but the reports were spotty at best.”
According to Krebs, one bank had nearly 9,000 customer cards listed in an alert from a major credit card association,” and that the only common point-of-purchase were Chick-fil-A locations.” That breach apparently occurred, however, between Dec. 2, 2013 and Sept. 30, 2014, but it wasn’t reported by the major credit card company until just before Christmas, Krebs wrote in his blog.
Additionally, Chick-fil-A had been concerned about breaches earlier, according to one newspaper report.
A company spokesperson told The Atlanta Journal-Constitution in early December that the company postponed a mobile payment rollout on its phone app to “triple check security.”
Chick-fil-A also did not say when the investigation would be completed.
In a prepared statement released Wednesday, NAFCU President/CEO Dan Berger renewed the association’s push for a national data security and breach notification standard for retailers amid news of the possible data breach at Chick-fil-A restaurants.
“Unfortunately, 2014 has turned out to be the year of the data breach and now we have the latest report of yet another retail data breach,” Berger said. “Congress must make passing a national data security standard for retailers a top priority when it returns next week. Congress should hold retailers subject to the same national data security standards that apply to financial institutions, such as the requirements of the Gramm-Leach-Bliley Act.”
He noted that NAFCU estimated the Target data breach will cause financial institutions to lose nearly $500 million in card replacement costs and other expenses.
And since Target’s data breach, there has been a major data breach discovered almost every month reported at Home Depot, Michaels stores, Sally Beauty Supply, Neiman Marcus, AOL, eBay, P.F. Chang’s Chinese Bistro, Supervalu, Dairy Queen, Jimmy Johns, Kmart, Staples and Bebe Stores, Berger said.
According the Identify Theft Resource Center, there were more than 760 breaches in 2014, a 25% increase from 2013.
NAFCU said it will continue to lobby for legislative action on Capitol Hill when the 114th Congress convenes next week. The association has also written Congress urging it to create a bipartisan-bicameral working group to develop legislative responses to retailer data security breaches.