Hackers are currently selling a trove of 3 million credit card numbers and apparently customer records stolen from Dickey’s Barbecue Pit, one of the largest grill chains in the United States.
The company today issued a statement about the hack and indicated that charges made on the stolen cards will be reversed.
“We received a report stating that a security incident with a payment card may have taken place. We take this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the affected locations and time frames involved. We use the experience of third parties who have helped other restaurants solve similar problems and also work with the FBI and payment card networks. We understand that the rules for payment card networks generally stipulate that persons who timely report unauthorized charges to the bank that issued their cards are not responsible for these charges, ”a spokesman for Dickey wrote.
Security company Twin Advisor found the data on a hacker site called The Joker’s Stash under the name “BLAZINGSUN.” The data appears to originate from magstrip data on customer cards.
“This represents a broader challenge for the industry, and Dickeys could become the latest warning story on lawsuits in addition to financial harm from cyber-security attacks,” wrote researchers from Gemini.
Dickey experienced a ransomware attack in 2015 and recently claimed to have locked down their servers. However, this recent attack suggests that hackers have breached a central payment service and could have even more data available for sale.
The hackers sell the card numbers on Joker’s Stash for every $ 17. Because every Dickey’s location is able to run its own point of sale system, it appears that this breach affected a central payment processor that allowed hackers to access data from 156 of the company’s 469 locations. The hackers claim that the data is “very valid”, which means that 90 to 100 percent of the cards are active and usable.
We have reached out to Dickeys for further comment. Gemini estimates that the hackers released information from the company between July 2019 and August 2020, giving them 10 months of detailed customer records.