Seemingly, a restaurant or restaurant chain would not be a high value target, placed near the top of the target list as they don’t have or retain any PII (e.g. name, social security number, medical records, and other confidential data). Curiously though, this industry has much the same data that others do, which is very sale-able. The primary data here for the attackers are the credit card numbers. These may be monetized in a few different ways which we have seen time and time again with bulk sales or simply creating new physical credit cards via placing the data on the magnetic strip. One such restaurant facing these difficulties in 2019 was the Huddle House. The Huddle House, headquartered in Atlanta, is a casual dining and fast food operations.
Huddle House was targeted for an attack, which was very successful. They released a statement on February 1st of the malware infection. The specific system breached was the point-of-sale (PoS) system, just like other retailers, which was infected with malware at various locations. The PoS system was a third party’s. The malware was coded to allow attackers to steal credit card information used by Huddle House’s clients (name, credit or debit card number, expiration date, cardholder verification number, and service code). With this data, you could have a great shopping experience, on someone else’s dime.
Unfortunately the variant of malware was not disclosed. This would have been very useful not only for research purposes, but also for other businesses to learn from. This would include what to watch for, how it worked, etc.
The malware delivery system was interesting, as the attackers gained remote access by exploiting the 3rd party’s assistance tools, allowing the third party to deploy the malware. This was deployed throughout every Huddle House, but this did make it to an estimated 341 locations. With the malware being spread across all of these locations, the reach was extended every time a client used their credit or debit card.
This was noticed after a bit of time has lapsed. The infection span was from August 1, 2018 to February 1, 2019. In essence, anyone using their card for the seven months during the infection, their credit card information is probably at risk
Another interesting aspect to this is the Huddle House did not detect the malware or issue. They perceived no indication of an issue. This was however detected by law enforcement and the Huddle House’s credit card processor. Seemingly, the Huddle House would have noticed something in the logs.
After the notification, the investigation began. Initially the business had no idea of how many of their locations were involved or the number of customers affected. They contracted with a third party forensics company and working with law enforcement within 24 hours of becoming aware.
The business notification was for their client’s to monitor their credit card statements and possibly call the credit card companies to request new cards. While this is helpful, yet obvious, this still created work for their clients now and in the future.
Lessons (Not) Learned (Still)
The Huddle House story is much like most other breaches. There is nothing exciting above the other breaches. What does make this a bit more interesting is the attack. The old saying is you are only as strong as the weakest link. This continues to be the case. When a business allows another organization (3rd party) access to their network and/or data, the business is allowing not only the third party into the network, but also the baggage and issues with their system come along for the ride. These likewise have full access to all the 3rd party does, and much more.
There is a massive retailer, with stores throughout the US, allowing access to third parties to their network. They are allowed to use this authorize access to upload invoices or various other functions. As they connect and log in, any infection they have may be shared with your system. This is the issue facing cybersecurity and supply chain management. While the business certainly has some level of transparency into their network, in general, this is not prevalent with 3rd parties. Gaining access to cybersecurity data for the 3rd parties is difficult as this is new ground for the vendors, and naturally, they don’t want to tell others of their vulnerabilities for fear this information could be accessed by unauthorized parties and exploited. The SOC report, and other reports show, at a certain day in time, what their vulnerable points were. This in the wrong hands could create a large issue.
As time passes and these requests become greater in number and frequency, the attitude will slowly change. Until then, start and continue to ask for these and put this in our contracts. The business and the 3rh party vendor have to understand this is a vulnerability attack point. If everyone continuing to keep their head in the sand hoping all will be well, all won’t be well. Just ask the national retailer whose AC vendor introduced malware into their system, which breached the PoS system just before the largest, in dollars and people.
Also, it is notable that the Huddle House had no idea there was a problem...until they received the call. If an estimated 341 sites are affected, and the credit card data is being sent to the C&C servers in small or large blocks of data, it would seem that the cybersecurity team would have been able to look at the log and notice the activity due either to the amount of data or frequency. Granted the data logs can be large, however, that’s why they sell SIEMs and the person can also code a program to parse through this looking for trends.
Abrams, L. (2019, February 5). Huddle house fast food chain suffers data breach in POS system. Retrieved from https://www.bleepingcomputer.com/news/security/huddle-house-fast-food-chain-suffers-data-breach-in-pos-systems/
Cutoday. (2019, February 6). Restaurant chain announces data breach. Retrieved from https://www.cutoday.info/Fresh-Today/Restaurant-Chain-Announces-Data-Breach
Huddlehouse. (2019, February 1). Important security and personal data protection notification. Retrieved from https://www.huddlehouse.com/data-protection-notification/
Muncaster, P. (2019, February). Huddle house suffers POS malware breach. Retrieved from https://www.infosecurity-magazine.com/news/huddle-house-suffers-pos-malware/
NNT. (2019, February 5). Huddle house restaurant chain suffers POS malware breach. REtrieved from https://www.newnettechnologies.com/huddle-house-restaurant-chain-suffers-pos-malware-breach.html
The Paypers. (2019, February 5). Huddle house announces security breach, POS system is affected. Retrieved from https://www.thepaypers.com/digital-identity-security-online-fraud/huddle-house-announces-security-breach-pos-system-is-affected/777240-26
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!