Not Your Average Joe's targeted by fraudsters
Technorati Tag: Security Breach
Date Reported:
10/24/07
Organization:
Not Your Average Joe's Restaurant
Contractor/Consultant/Branch:
None
Victims:
Patrons at all 13 Massachusetts chain restaurants in August and September, 2007.
Number Affected:
3,500*
*based on the official Not Your Average Joe's estimate "significantly fewer than one percent of the nearly 350,000 customers we served"
Types of Data:
Name, credit card number and expiration date.
Breach Description:
Massachusetts restaurant chain Not Your Average Joe's issued a statement on October 23rd stating that their restaurants were targeted by someone seeking to illegally obtain credit card data belonging to customers.
Reference URL:
Boston Business Journal
South Coast Today
Not Your Average Joe's Alert
Report Credit:
Not Your Average Joe's
Response:
From the official Not Your Average Joe's statement and other online resources cited above:
"Massachusetts restaurant chain Not Your Average Joe's issued a statement Tuesday that said its Massachusetts restaurants were targeted by an individual or individuals seeking to illegally obtain credit card data."
"Diana Pisciotta, a spokeswoman for Not Your Average Joe's, said the thefts affected customers who dined at all of the chain's 13 Massachusetts locations"
"We sincerely apologize to our customers for any inconvenience that this issue may cause them."
[Comfyllama] I appreciate apologies. We are all human, we make mistakes, and we miss simple details that could lead to security breaches. Admitting it is more than half the problem.
"Though the external investigation into the cause and impact of this activity is still underway, based on what we have learned to date the activity occurred largely between early August and late September; there has been no evidence that any credit card data was fraudulently obtained after September 29. "
"Based on preliminary conversations with the credit card companies, it appears that this issue has impacted significantly fewer than one percent of the nearly 350,000 customers we served during that period."
[Comfyllama] This statement is puzzling to me. How does Not Your Average Joe's come to this conclusion? If they are relying on information that they may have received from the credit card companies, then this implies that fraudulent activity has already taken place. This "fewer than one percent" number would be taking fraudulent activity that has ALREADY happened into account which offers no assurances that this is the only fraudulent activity that WILL occur.
"Investigations indicate that no member of the Not Your Average Joe’s staff was involved."
"The only data our company has access to are the credit card number, expiration date and name associated with the card. Not Your Average Joe’s does not have any other identifying data; therefore, this is not a situation where identify theft is likely."
[Comfyllama] This is some consolation. Key word is "likely".
"Not Your Average Joe’s has always taken the security of data transmissions very seriously; all of our stores were already equipped with extensive security systems."
[Comfyllama] Did you notice the word "transmissions"? Not Your Average Joe's has been tight-lipped about how this breach occurred, but this statement gives us a vital clue. I speculate that this breach occurred through insecure wireless or a tap placed at one of the restaurants. My bets are on insecure wireless.
"Once Not Your Average Joe’s became aware of this issue, we took several important steps:
"The security systems Not Your Average Joe’s has in place today far exceed industry standards. "
[Comfyllama] If I am a victim, do I care? Managing security according to "industry standards" is by no means "best practice", especially in retail!
"We really value the relationships we have with our customers, and we want them to feel confident in us," Ms. Pisciotta said. "It's important to us that our customers have the information they need to protect themselves."
"Anyone who dined at Not Your Average Joe's who finds any suspicious transactions on their credit-card statements are urged to immediately contact their credit-card companies."
[Comfyllama] We should all be monitoring our credit card statements closely and regularly for any suspicious activity.
Commentary:
It's not clear how this breach took place. Based on the limited information provided by Not Your Average Joe's, it appears that the data was compromised while in transmission (sent from one place to another). An insecure wireless network is the first plausible vulnerability that comes to mind.
I don't think that this is the end of this story.
Past Breaches:
Unknown
Date Reported:10/24/07
Organization:
Not Your Average Joe's Restaurant
Contractor/Consultant/Branch:
None
Victims:
Patrons at all 13 Massachusetts chain restaurants in August and September, 2007.
Number Affected:
3,500*
*based on the official Not Your Average Joe's estimate "significantly fewer than one percent of the nearly 350,000 customers we served"
Types of Data:
Name, credit card number and expiration date.
Breach Description:
Massachusetts restaurant chain Not Your Average Joe's issued a statement on October 23rd stating that their restaurants were targeted by someone seeking to illegally obtain credit card data belonging to customers.
Reference URL:
Boston Business Journal
South Coast Today
Not Your Average Joe's Alert
Report Credit:
Not Your Average Joe's
Response:
From the official Not Your Average Joe's statement and other online resources cited above:
"Massachusetts restaurant chain Not Your Average Joe's issued a statement Tuesday that said its Massachusetts restaurants were targeted by an individual or individuals seeking to illegally obtain credit card data."
"Diana Pisciotta, a spokeswoman for Not Your Average Joe's, said the thefts affected customers who dined at all of the chain's 13 Massachusetts locations"
"We sincerely apologize to our customers for any inconvenience that this issue may cause them."
[Comfyllama] I appreciate apologies. We are all human, we make mistakes, and we miss simple details that could lead to security breaches. Admitting it is more than half the problem.
"Though the external investigation into the cause and impact of this activity is still underway, based on what we have learned to date the activity occurred largely between early August and late September; there has been no evidence that any credit card data was fraudulently obtained after September 29. "
"Based on preliminary conversations with the credit card companies, it appears that this issue has impacted significantly fewer than one percent of the nearly 350,000 customers we served during that period."
[Comfyllama] This statement is puzzling to me. How does Not Your Average Joe's come to this conclusion? If they are relying on information that they may have received from the credit card companies, then this implies that fraudulent activity has already taken place. This "fewer than one percent" number would be taking fraudulent activity that has ALREADY happened into account which offers no assurances that this is the only fraudulent activity that WILL occur.
"Investigations indicate that no member of the Not Your Average Joe’s staff was involved."
"The only data our company has access to are the credit card number, expiration date and name associated with the card. Not Your Average Joe’s does not have any other identifying data; therefore, this is not a situation where identify theft is likely."
[Comfyllama] This is some consolation. Key word is "likely".
"Not Your Average Joe’s has always taken the security of data transmissions very seriously; all of our stores were already equipped with extensive security systems."
[Comfyllama] Did you notice the word "transmissions"? Not Your Average Joe's has been tight-lipped about how this breach occurred, but this statement gives us a vital clue. I speculate that this breach occurred through insecure wireless or a tap placed at one of the restaurants. My bets are on insecure wireless.
"Once Not Your Average Joe’s became aware of this issue, we took several important steps:
- Contracted with an external forensic analyst to help us identify the cause; that analysis is ongoing
- Immediately took steps to further increase the security of our data systems; while we cannot detail these steps without compromising ongoing security, we believe all credit card transmittals are secure
-
Closely cooperating with credit card companies, local police, the Secret Service and other third-party agencies that are reviewing this issue"
"The security systems Not Your Average Joe’s has in place today far exceed industry standards. "
[Comfyllama] If I am a victim, do I care? Managing security according to "industry standards" is by no means "best practice", especially in retail!
"We really value the relationships we have with our customers, and we want them to feel confident in us," Ms. Pisciotta said. "It's important to us that our customers have the information they need to protect themselves."
"Anyone who dined at Not Your Average Joe's who finds any suspicious transactions on their credit-card statements are urged to immediately contact their credit-card companies."
[Comfyllama] We should all be monitoring our credit card statements closely and regularly for any suspicious activity.
Commentary:
It's not clear how this breach took place. Based on the limited information provided by Not Your Average Joe's, it appears that the data was compromised while in transmission (sent from one place to another). An insecure wireless network is the first plausible vulnerability that comes to mind.
I don't think that this is the end of this story.
Past Breaches:
Unknown
Posts Atom 1.0
I work for a credit union. We got hit pretty bad by this one. The transavctions are for big dollar amounts in the Philippines and Wal-Marts in Ohio.
Reply to this
I just found charges on my November bank statement that my bank says is from the Joe's problem. There were about 20 charges all made in Canada between November 5th and November 7th 2007. The person had a fradulent card made and used it for taxi's, gasoline and others that all require a card and a signature. Makes me doubt the statement from the restaurant that it wad 'data in transit' that was compromised.
Billerica, MA - ate at the Burlington, MA store
Reply to this