Breach, Threat Management, Data Security, Malware

Cicis Pizza delivers the bad news, confirms breach at 138 locations

Cicis Pizza has officially acknowledged a payment card data breach in 138 of its restaurant locations, after reports of a point-of-sale malware attack first came to light last month.

According to a company statement and accompanying list of breached locations, the Coppell, Tex.-based chain in early March began receiving reports from locations that their POS systems were behaving strangely. An examination by the POS vendor turned up malware at certain locations, resulting in a methodical, company-wide security review and remediation effort. Texas was the state most hard hit by the attack, with 87 locations impacted.

A forensics firm further investigated the incident, and confirmed in a July 19 report to Cicis that most stores were compromised in March 2016. However, Cicis notes in its statement that a “smaller percentage” of affected restaurants had intrusions dating back to 2015. The company also acknowledged that payment card information “may have been compromised,” by the malware strain.

“While we believe most of the breaches were remedied within a few weeks of the intrusion, out of an abundance of caution we are not declaring some restaurants as threat-free until they were reviewed by our forensic analyst this month,” the company added.

"Point-of-sale systems are widely considered to be the weakest link in the security chain for retail businesses. Because checkout terminals are in constant use and usually patched less frequently, they are more vulnerable to malware that steals cardholder data," said George Rice, senior director, payments at HPE Security - Data Security, in comments emailed to SCMagazine.com. "To guard against such threats, “many leading retailers and payment organizations have already adopted data-centric security techniques, such as point-to-point encryption and tokenization to remove live data from the reach of advanced malware in insecure systems.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.