Fast-casual restaurants are supposed to offer the perfect blend of comfort and convenience to their diners. The problem is they're not supposed to make things that easy for hackers going after credit card data, too.
All-you-can-eat pizza chain Cicis announced on Sunday (July 17) that it had gathered enough evidence to support its belief that a large number of Cicis locations had been compromised by a credit card breach dating back to at least March 2016. That was when the QSR chain says the frequency of attacks skyrocketed, though there is evidence to support a hacked POS system in some of its stores as far back as last year.
"When the POS vendor found malware on the POS software at some Cicis restaurants, we immediately began a restaurant-by-restaurant data security review and remediation," the company explained. "We also retained a third-party cybersecurity firm to perform a forensic analysis to determine what, if any, information might have been compromised and to verify that all threats have been eliminated. The forensic firm reported its findings on July 19, 2016, confirming that a malicious software program had been introduced by a hacker to the POS system used by some Cicis restaurant locations. The threat of that malware to our restaurants has been eliminated."
While Cicis might be embracing the realty of its situation now, Brian Krebs of Krebs on Security claims to have gained access back in June to the malware used to lift credit card info from Cicis' POS system. Not only that, but written notes to and from store employees were also viewable.
This will leave a bad taste in Cicis diners' mouths, but if the chain is lucky, it won't be as bad as the taste Chipotle left.