It was last year at about this time that we first got wind of an incident involving food services wholesaler Jetro/Restaurant Depot. Malware inserted in their card payment system had exfiltrated mag stripe data (names, card numbers, card expiration dates, and cvv codes) to a server in Russia between late September 2011 and early November 2011. Approximately 300,000 customers were affected, with many of them incurring fraudulent charges on their cards.
Fast forward one year, and Jetro/Restaurant Depot has disclosed another breach.
The firm reports that they first learned of the new compromise on December 4 of this year when some customers started reporting credit card fraud. By December 6, an investigation by Trustwave determined that the intrusion had occurred on November 7th. Taking no chances, the firm advises customers who used their cards at a Jetro/Restaurant Depot store between November 7th and December 5th to not only monitor their credit card statements carefully, but to cancel their cards.
Although Trustwave was able to contain the breach on December 5, details of how the breach occurred were not clear at the time the firm prepared its notification letter to those affected.
Robert Kirschner, President of Jetro/Restaurant Depot, writes that they believe they were “compliant with payment card industry standards at the time of the apparent intrusion” and notes that their payment systems were being monitored 24/7 by Trustwave. The firm had also “expended considerable resources and costs upgrading the credit card processing systems at each of our locations” since last year.
Jetro/Restaurant Depot is certainly not the first firm to claim that they were compliant at the time of a breach. Visa, however, has repeatedly concluded that breached entities were not compliant at the time of their breaches.
It is not known how much, if anything, Jetro/Restaurant Depot paid in fines to card issuers for last year’s breach or whether they will be hit with any fines over this breach. I’ve been told in the past by those in a position to know that most breaches do result in fines.
So what went wrong? We’ll have to wait for more details, but on some level, this breach serves as a painful reminder that even when companies invest and try to upgrade their security, they may still fall prey to a costly intrusion.
Update: Restaurant Depot posted a breach notice on its web site, dated December 19. That notice contains the same information as in the letter submitted to the California Attorney General’s Office.
Update2: BankInfoSecurity reports that Trustwave was monitoring the network 24/7 since after the first breach but did not detect the recent breach. It’s still not clear how the breach occurred as of today (Dec. 28).
So yesterday, I fortunately found a series of 4 illicit transactions on my business account but was able to cancel the card. Pretty enormous headache, lots of miserable time spent trying to prove I’m me, and being left on hold for hours with banks and cops. Miserable. Worst part is feeling absolutely violated and not sure how anyone could have gotten my info. More hours spent trying to figure out where I could have messed up, and changing every acct password, etc… This evening, in the mailbox is the letter from Jetro – yup. there’s the breach. What I am most frustrated about is that they knew about the theft a MONTH ago. How did it take them so long to alert their customers? I really feel harmed by their failure to contact all their customers (possible victims) in a timely manner. I could have shut down my business card earlier if I’d known and saved a HUGE hassle and a fair bit of money from my business that I still have to prove is stolen. Bad business practices led to the theft in November, worse ones led to ongoing victimization of their customers on Christmas eve, no less.
From their statement, they first learned of the breach on December 4 and first had to figure out when it occurred so they’d know whom to notify. So from then until Dec. 24 when you received your letter, that’s actually pretty quick in terms of figuring out whom to notify and getting the letters to their mailboxes. What I find concerning is that this is the second breach in as many years and in both cases, they did not seem to know they had been breached until customers started contacting them to report fraudulent charges on cards used at their stores. Then, too, there’s the important issue of how this happened.
I will be looking for more details on this latter breach when they become available.
My card was used fraudulently last year (after Jetro breech) and today I got my letter. I looked, and one large charge in Canada (not mine) was on there (with a hefty international transaction fee). When I called to cancel the card, it had been used a second time (in NJ) for $850. That one was denied. I just left a message on Jetro’s President’s voicemail. I asked some of the same questions you have brought up. This happened last year. How could it happen again? Do you think he will call me back?
If you get a call back, please let us know!
One has to wonder if an inside job is involved here. Getting breached twice in 2 years is really getting out of hand. Thankfully, I used my credit card at Restaurant Depot on October 28, a week before the breach so hopefully I should be okay. I did have to cancel my credit card the last time, though.
IF I were a betting man, I’d say the people they brought in to look over where the breach occured may have missed something. They intrusion can occur on one computer. Then, once the hackers have conrol of that computer, they can infiltrate the rest of the network. I assume they would exit the same way they got in, and since they typically do, the computer that is making the most chatter HAS to be the one that is the issue.
Sure it was, but I bet if they look deeper into the inner-workings of their domain, there is probably other infestations that lay in wait. Some may be of rootkit origin, and those can be very, very painful to find. They need to get this under control, ot they too may find them selves under the microscope and hit with fines they cannot afford.
If I was assigned to the IT group there, I’d absolutely postively ensure the database was clean of bugs. Then, I would back it up offline. From there, I’d remove all the hard drives and run them over with a steam roller. Rebuild the server that housed the database from scratch, requiring any new accounts to be properly validated. Ensure all passwords are changed. Limit user access to privileged information.
Security or ease of use ? PCI compliant or lack of customer trust? There isn’t a fine line to walk here – either you are on the side of compliant or you are not. If your comfortable with the level of business that you are producing, and have become lax in your ways, either fire yourself or hire some one to give the place a once over.
It appears to be another compnay that goes as long and as far as it can with one thing in mind – the mighty dollar. If a corporation is breached, it should be like a DUI offense. Take them off the mainstream until they become compliant and certified breach-free. You be SURPRISED how fast they would come about when they are affected where it hurts.
Oh my god, Thats a LOT of work…. You want to be employed and show due diligence / due care or be fined to the point of bankruptcy and out of a job? Pick your poison.
2nd time for me as well, and I did not shop at Restaurant Depot on the date they said they were compromised. They never contacted me to let me know my card might have been compromised, I found out when my credit card company called me on NEW YEARS EVE to ask about possible fraudulent charges on my account. I then went and Googled Restaurant Depot to see if they had been compromised again and finally found a letter they had released on their Facebook page. I posted a long rant about my displeasure and several hours later received a phone call from the President of the company, Robert Kirschner. According to him, ONLY 75% of their locations had been breached and that they knew about it a while ago but were told by their monitoring company to not let their customers know. he was on the phone with me for over 30 minutes and he seemed sincere in his apology, but I still don’t think he realizes just how bad this is for their reputation. I strongly suggested he hire a PR firm and he poo-pood the idea.
Today the Branch Manager of our local Restaurant Depot showed up at my restaurant in person to speak with me but I wasn’t here. Curious as to why he showed up. Not even a hefty store credit would convince me to trust this company again after TWO breaches in less than a year.
If you didn’t use your card during the time period they say they were vulnerable, can you tell us when you did use it? Did he acknowledge that there was a wider window/time frame on the breach than they had stated in their letter?
I nearly lost my buisness due to RD lack of security protocal. Had to shut down my restaurant for 3 weeks because my account was frozen. (I just opened Oct of 2012). I just recieved a letter on 1/7/13 stating that they knew at the beginning of Dec 2012 that someone hacked into their system etc. I called the President; Richard Kirschner who promptly returned my call.I told him about my dilemma and that we lost approx.$6,173. 83 in lost revenue for the 3 weeks we were forced to close. I didn’t include late charges for unpaid payroll or any of our lost catering jobs or expenses, only sales.
Richard kindly shared a story about his wife having her credit card stolen and told me this was the world we live in. Really?! This company makes Millions upon millions every year..if it wasn’t for our small buisnesses they wouldn’t be nothing! It’s seems to be the theme in corporate America to forget about those that made you as soon as your rich and stable.
I’m trying to find Stanley Fleishman’s email..any suggestions on how to locate it?
Thanks