Northwest fast food chain hack exposed customer credit cards

A beloved regional burger chain in the Pacific Northwest is the latest fast food company to suffer a major data breach.

Burgerville, headquartered in Vancouver, Wash., disclosed today that any customers who used a credit or debit card from September 2017 to September 2018 at any of its locations may have had their card details stolen. The company operates 42 locations in the region.

In August, the FBI contacted Burgerville to notify the company that it had been targeted in a cyberattack. The company believed that intrusion to be “brief” until September 19, when an internal forensics team identified that the chain was still affected by malware running on its systems. Burgerville coordinated with the FBI to neutralize and contain the malware, working with an external cybersecurity firm.

“As soon as Burgerville learned the intrusion was still active, the company immediately began steps to completely eradicate this breach, necessitating that all Burgerville systems be taken offline and upgraded simultaneously without any warning to the criminals,” the company said in a press release.

TechCrunch contacted Burgerville and the FBI to ask how many customers might have been affected by the hack. The company declined to provide additional details at this time.

While the company has yet to disclose many technical details, it attributed the attack to Fin7, a “prolific” international cybercrime group. In August, the Department of Justice apprehended three members of Fin7 involved in “a highly sophisticated malware campaign targeting more than 100 U.S. companies, predominantly in the restaurant, gaming, and hospitality industries.” Believed to be a billion-dollar operation, Fin7 operates under the guise of a front company while selling stolen data in online marketplaces.

The attack on Burgerville was likely accomplished by malware that infected its point-of-sale systems — a common target in the recent surge of restaurant cyberattacks. In this case, the company confirms that attackers were able to exfiltrate names, credit card numbers, expiration dates and CVV numbers.

According to the Department of Justice report, Fin7 began many of its attacks with spear phishing campaigns that delivered attachments laced with an “adapted version” of the malware known as Carbanak. An FBI report provides more detail on the group’s methods.

As part of its August announcement, the Department of Justice noted that Fin7 was behind already disclosed hacks of Chipotle, Chili’s and other food chains, including local businesses in Western Washington that remained unnamed at the time.