Threat Management, Breach, Threat Management, Threat Intelligence, Data Security

Burgerville discloses year-long data breach, courtesy of FIN7 cybergang


Add fast-casual restaurant chain Burgerville to the list of retail and hospitality companies victimized by the Eastern European cybercrime group FIN7.

The Vancouver, Wash.-based restaurant operator disclosed in an online security alert and FAQ page that it was infected with malware by FIN7, aka the Carbanak Group, resulting in a data breach that compromised customers' payment card information.

The company, which has over 40 locations in the Pacific Northwest, said that any customers who visited a Burgerville restaurant between September 2017 and Sept. 30, 2018 are potentially impacted.

Burgerville said that it learned of the breach through the FBI on Aug. 22, at which point it launched a forensics investigation. But in an unusual twist, the company admits that it was under the impression that the intrusion had been a brief one -- until the forensics investigation showed on Sept. 19 that the attack was still ongoing.

Only then did Burgerville take steps toward remediation, which was competed on Sept. 30 "This has included cutting off the various pathways the intrusion affected and upgrading systems to eradicate this breach," the company stated in its alert.

Burgerville explained it did not announce the breach sooner because it was cooperating with law enforcement officials who requested for confidentiality during the investigation. Moreover, the remediation plan "had to be kept confidential until it was completed in order to prevent the hackers from creating additional covert pathways into the company’s network."

The number of affected customer is apparently unknown, the company said, because "The tactics of this particular group of hackers make it very difficult to know exactly how many people were directly affected and exactly which card numbers were stolen. They are adept at concealing their digital footprints."

On Aug. 1, 2018, the U.S. Department of Justice announced the arrest of three alleged FIN7 members, whom law enforcement officials believe helped the cybercrime gang target payment card and financial data processed by more than 100 U.S. companies. Past victims include Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, Jason’s Deli, and what the DOJ described as additional local businesses in Western Washington.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.