PDQ Restaurants: Issues
PDQ is a chain restaurant in several states in the US. Although based in Florida, the chicken chain had grown through many states northward. Although popular, there was recently an issue affecting primarily the restaurants in the Triangle in North Carolina (NC).
Attack
If you enjoyed eating at the restaurant within the last year and paid with a credit card, it would be prudent to check your credit accounts in detail, as the credit card information may have been affected by an attack. The business was targeted, the attackers went through their cycle of reconnaissance and other steps, and successfully attacked and compromised their credit card system. Naturally, since this is where the data is located, the attackers focused their attention on this area.
After the breach was successful, and the attackers removed the data they wished, the compromise was discovered much later, and PDQ hired a cybersecurity firm for the forensic work. The firm assuredly would be much better equipped to research the specifics of the attack and compromise. The focus of this may not be overly singular, as the breached restaurant credit card data may be much more expansive, as in the case the attackers were able to pivot from this point into other data intensive areas. The restaurant, in response to the confirmed breach, informed the North Carolina Department of Justice on June 23, 2018.
Time Frame
After the forensic team analyzed the breach, the team determined the time frame the attackers had unfettered access was May 19, 2017 to April 20, 2018. The attackers had complete access for the 11 months to the credit card system. The attackers were done with their data gathering in late April 2018. The company learned of the breach on June 8, 2018. If the attackers had not gathered as much data as they did, they would have continued until at least June 8th.
With the expanse of the overall breach, it would be difficult to detail how many of their clients actually were affected. Presumptively, the attackers would work to secure all of the credit card information, however they may not have gathered everything through the entire time of the compromised system.
Attack Vector
Clearly the attack was successful, as the attackers had an extended amount of time in the system, unknown to the company, and exfiltrated a large amount of data, also unknown to the cybersecurity team.
The attackers is believed to have gained entry into the system through a third party vendor’s remote connection tool. This is much like so many other compromises of larger company’s systems, including a retail establishment from years ago. Here also the entry to the credit card was through the vendor’s system.
This issue also brings to the forefront the issue of trusting vendors, while not asking them for cybersecurity questionnaires. Seemingly the companies would need to vett the other companies being used for work as a third party. The lack of cybersecurity applied here has been costly to many retail establishments.
Data Exfiltrated
The attackers, of course, had planned on securing the data possible for them to market. This included all or a portion of the clients names, credit card numbers, expiration dates, and cardholder verification values. This data is perfectly useful to sell on the dark web and other places, and creates a bit of a bother for the affected parties.
Client Recommendation
As the company was breached and data exfiltrated, the situation obligated some form of guidance for the affected parties to be provided. Not all of the affected parties would be savvy and know what to do, or possibly even have an inclination. The North Carolina Department of Justice recommended freezing their credit with the credit reporting agencies (Equifax, Experian, and Transunion). This is a good step, however, there are issues with this. If the client were to apply for additional credit, the client would need to unfreeze their credit, wait 3-5 days, apply, and later re-freeze their credit. Although this does work well, it tends to be problematic in third party functionality.
The clients also need to regularly check their credit report, if they do not freeze their credit. This provides for a regular review. If the client’s identity were to be used fraudulently, any issues could be managed early on. Although still requiring effort to remediate, this would contain the on-going issue.
Thoughts
The attackers had access for 11 months. This is clearly by far too long of a time for unauthorized parties to have unfettered access. The InfoSec team or in the least their SIEM should have noticed the strange IP addresses accessing the system at rather unique times, or the data being exfiltrated night after night.
The breach was not visited after April 20, 2018, yet this was not discovered until June 8. This is indicative of the attackers securing their quota of credit card numbers. It may be the attackers had all the data they could use. This interim lag in time allowed the attackers to begin marketing the data unchecked and unknown to PDQ. Had this been found much earlier, any damage could have been limited in some form or manner.
Resources
CBS 17 Staff. (2018, June 25). PDQ restaurant customer credit card info hacked in ‘cyber attack,’ officials say. Retrieved from http://www.cbs17.com/
Charles, A. (2018, June). Restaurant chain PDQ says customer’s credit card info was hacked. Retrieved from https://www.wral.com/restaurant-chain-pdq-says-customer-s-credit-card-info-was-hacked/17649050/
Derickson, C. (2018, June 26). Chicken chain customers’ credit card information at risk. Retrieved from https://www.newsobserver.com/news/business/article2138644864.html
Goud, N. (2018, June). Database of PDQ restaurant hacked and sensitive info leaked. Retrieved from https://www.cybersecurity-insiders.com/database-of-pdq-restaurant-hacked-and-sensitive-infoleaked
Malik, J. (2018, June 27). Popular US fast food chain hit by data breach. Retrieved from https://www.informationsecuritybuzz.com/expert-community/popularus-fast-food/
Spectrum News Staff. (2018, June 23). Cyberattack impacts NC PDQ restaurant. Retrieved from https://spectrumlocalnews.com/nc/triangle-sandhills/news/2018/06/23/cyberattack-impacts-nc-pdq-restaurants
WTVD. (2018, June 23). PDQ data breach exposes customers’ credit card information. Retrieved from http://abc11.com/pdq-data-breach-exposes-customers-credit-card-information/3643475
Verdict Food Service. (2018, June 26). Restaurant chain pdq reports data breach incident. Retrieved from https://www.verdictfoodservice.com/news/restaurant-chain-pdq-data-breach/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.