Some 3 million credit card numbers belonging to customers of Dickey’s Barbecue Restaurants Inc., the largest BBQ franchise in the U.S., are being offered for sale on the dark web after the company was hacked.

The stolen credit card details were discovered on a dark web carding site called “Jokers Stash” by security researchers at Gemini Advisory LLC. The breach, dubbed “BLAZINGSUN” on the forum, is alleged to included credit card data from 35 U.S. states and some countries across Europe and Asia.

How the data was stolen is a complete mystery at this point with Dickey’s BBQ not officially admitting to the hack and theft of data on their website as of the time of writing. With some sense of irony, the company’s website includes a California Consumer Privacy Act disclosure form; under CCPA, it’s required to disclose any incident that involves the theft of customer data.

Cyberscoop reported that the company has responded in a statement, saying that “we received a report indicating that a payment card security incident may have occurred… we are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved.”

“Given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations,” the Gemini researchers said in a blog post.

James McQuiggan, security awareness advocate at security awareness training firm KnowBe4 Inc., told SiliconANGLE that the criminals could have lifted credit card information, names and possibly email addresses.

“Anyone who has visited this organization in the past six months will be wise to actively monitor their bank accounts and credit card transactions for any fraudulent or suspicious charges,”  McQuiggan noted. “If they discover any, they should report it as soon as possible to the financial institution.”

Warren Poschman, senior solutions architect with data security company comforte AG, said that with COVID-19 pushing businesses in the fast-casual restaurant segment to the brink, attackers are taking advantage of lax security while many are in survival mode. “Regardless of the ill timing, organizations need to ensure that every step in the payment cycle is secured from acquisition to settlement,” he said.

Saryu Nayyar, chief executive officer of security and risk analytics firm Gurucul Solutions Pvt Ltd. A.G., noted that the credit card dump indicates, for one, a lack of consistency and enforcement in PoS terminal operations. “The fact that we are still seeing mag-stripe based data, when chipped cards have been ubiquitous for years, indicates that many retailers have not taken card security seriously,” he said.

The second issue is the apparent fact that this breach was ongoing for more than a year. “Organizations need to do more and quickly to prevent this kind of theft,” Nayyar said. “They need to deploy the latest PoS equipment, even at small franchise locations, and have an up to date security stack, including behavioral analytics, that can detect a breach long before three million customer credit card numbers wind up for sale on the dark web. This was most likely entirely preventable.”

Photo: Willis Lam/Flickr