Data breach reported (Image: Shutterstock).

Atlanta-based restaurant chain Huddle House said a security breach affected its point-of-sale system and warned customers to scrutinize card transactions at any of its 341 locations in the past six months.

"Criminals compromised a third-party point of sale vendor's data system and utilized the vendor's assistance tools to gain remote access-and the ability to deploy malware-to some Huddle House corporate and franchisee POS systems," Huddle House said in an alert on its Web site.

The malware was designed to collect data including cardholder name, credit/debit card number, expiration date, CVV and service code. Huddle House asked all customers who used credit or debit cards between August 1, 2017, and February 1, 2019 to monitor their bank accounts for any suspicious transactions.

As with all breaches affecting payment cards the risk extends to credit unions and other financial institutions that issue credit and debit cards.

The theft was reportedly discovered about January 3, 2019, after Huddle House was notified by a law enforcement agency and its credit card processor. An investigation is ongoing with the help of third-party forensic experts.

Stephen Moore, chief security strategist for San Mateo, Calif.-based security management firm Exabeam, pointed out, "The Huddle House restaurant breach caused by a compromised third-party POS vendor went undetected much longer than it should have—but this is, unfortunately, a common theme today. Once a breach has been discovered, investigations typically reveal that adversaries have been occupying their network for days, if not months—and sometimes years."

Moore added, frequently, an intrusion is detected by a notable change, such as a rapid increase in network traffic, a suspicious system login location or time, or the unusual export of sensitive information. "But not all attacks have an obvious pattern. Often adversaries who have gained access to a network are conducting a 'low and slow' attack. This is where they carefully and methodically move laterally across devices and users so as not to attract attention—doing reconnaissance and strategizing on how best to exfiltrate data."

Moore suggested machine learning security approaches can make it fast and easy to find anomalous and suspicious user and device behavior. "Its algorithms can baseline normal behavior in your network environment, then alert your security team whenever anomalous activity occurs. As a result, analysts can detect breaches sooner and reduce the amount of time that attackers are 'dwelling' in a network environment, significantly reducing the size of a breach and its devastating impacts."

Meanwhile the San Diego, Calif.-based Identity Theft Resource Center in its 2018 End-of-Year Data Breach Report tallied 1,244 breaches with a reported 446,515,334 records affected. While the number of breach incidents is less than 2017, the ITRC saw a 126% increase in the number of reported records that contained sensitive personally identifiable information. "Reporting parties aren't always the target. Many of those reporting incidents were compromised through third-party vendors," the report revealed.

The ITRC does not categorize all data incidents as a breach – this includes incidents of misuse. The damage to personally identifiable information is devastating no matter what it is called.

According to Colin Bastable, CEO of Austin, Texas-based cybersecurity test and training company, Lucy Security: "Third-parties are significant multipliers in the risks faced by consumers and businesses: the fewer moving parts we have between us and our data, the safer we are."

Bastable suggested by making login more convenient for users, for example by using Facebook, Google or another intermediary, organizations are exposing consumers to significant, chronic risk. By combining different accounts, such as by enabling hotel loyalty programs to access airline rewards accounts, users increase their risk profile significantly.

The Lucy Security CEO noted from an organizational perspective, the technologies already exist to protect data. "We have encryption, tokenization, MFA, anti-malware software, firewalls and so on, but attacks keep succeeding at increasing rates." He recommended, "If you don't have to hold consumer data – don't. Train your people relentlessly, and run 'what-if?' scenarios for the 20% of them who will click on a phishing link."

Personal information should always be encrypted and protected inside an organization's computers and networks, Anthony James, chief strategy officer, at San Jose-based CipherCloud. "This should include all of your on premise applications, SaaS-based applications, and custom IaaS-based applications. ".

James explained it is more common to find cyberthieves attacking APIs, middleware, and database-only encryption – these are the new skirmish lines for cyberattacks, especially within the cloud. "Tools that automatically implement encryption and protect your data, such as data loss prevention and digital rights management, help secure the extended enterprise." James added in the event that an important vendor doesn't have the right data protection, organizations can wrap their applications with a cloud-access security broker to provide the necessary security for the data.

Beyond the battle over encryption, James cautioned, credential access remains in the midst of a full pitched battle against attackers using techniques such as account manipulation, bash history, brute force, credential dumping, registry-based credentials, forced authentication, hooking, input capture, kerberoasting (a method used to steal service account credentials), and keychain attacks.

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).