Chick-fil-A investigates payment card data breach

As reported by IT Governance ITG

Chick-fil-A, the Georgia-based fast food restaurant chain, announced on January 2 2015 that it is investigating a potential data breach involving customer payment cards.

The sandwich chain was notified of suspicious card activity by its payment industry contacts on December 19 2014. For two weeks, Chick-fil-A has been working with relevant authorities to fully understand the extent of the problem. It is currently unknown how many restaurants have been affected and, indeed, how many customers.

Chick-fil-A has contacted federal law enforcement about this possible data breach and will arrange free identity protection services to any affected customers. All customers are advised to regularly monitor their card accounts and check for suspicious activity.

All organizations that store, transmit, or process payment card holder data must comply with the Payment Card Industry Data Security Standard (PCI DSS). Among other things, it requires merchants and member service providers (MSPs) to:

  • Build and maintain a secure IT network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

It is not yet known whether responsibility for the data breach lies with Chick-fil-A or a third-party vendor involved with the payment data.

My prediction as the year starts is that more sophisticated attacks against Card data will become increasingly popular. Backing this up is the availability of ‘off the shelf’ scripts and hacking tools that can be downloaded, meaning the importance of compliance with PCI-DSS is paramount.

Let us take the worry of compliance and protection from your day to day operations, and feel free to speak to us about your concerns.