Surely by now you’ve heard all about the Target breach, where credit cards were compromised… Maybe you were one of the bazillion who were affected, and you might have already replaced your card and moved on and put that out of your mind.
But, here’s a story about what appears to be a local breach, though we do not know the full details of how it happened yet.
Going back to February 26th 2014, I took a group of about 30 friends to a Greenville South Carolina entertainment venue called “Jack N’ Diane’s”, which features a fun dueling piano act. A great time was had by all! The entertainers were outstanding, the servers were attentive.
On Thursday March 6th , my wife Pamela asks, “Did you buy something from a grocery store in New York on the credit card?”… It was a small charge, like 29 dollars. Nope, I had not been to a grocery store in New York…. Hmmmmmm…. Now alert to the situation, Pamela began looking more closely at our transactions online and found another charge for less than 10 dollars in Los Angeles. We still had not been out of Greenville or made any purchases online. Pamela had the card canceled with our bank after speaking with their fraud department.
The typical things associated with that ensued – such as getting a new card sent out from the bank. It did get us to talking though, and we discussed how that card is used for food and fuel mostly. So we started wondering just where our card number had been harvested. It came down to only a handful of places. One of which was the local Jack N’ Diane’s. I posted to the groups on Facebook where my friends hang out asking if anyone else had seen fraudulent charges on their credit cards. Turns out, more than one had. This number continues to grow.
Not all of our group used credit cards, but at least half did. This looked like more than a coincidence, so I called up Jack N’ Diane’s and spoke with a gentleman there who claimed to be a manager. I told him the situation and he explained that he doubted that a server (the human kind) was stealing credit cards, so that leaves their Point Of Sale (POS) system or the credit card processor that could be the culprit. The gentleman told me that their POS system was indeed out of compliance and that before April 1st they are scheduled to replace it.
I offered him the name of someone who could help RIGHT NOW, an Upstate food service POS expert, Toby Capece. He thanked me, but declined my offer and said they had someone already.
As of today, March 11th 2014, we have at least 9 people in our group confirming that they too had charges on their cards all over the place from California to New York, and even Canada.
I have called Greenville Police Department and spoken with two people, my wife spoke with one. They just said, “file a report”, once we have the bank statements in hand.
At this stage of the game, I am now simply wanting people to know that if they have been to Jack N’ Diane’s and used plastic, that they should check their statements closely.
I do find it very interesting that Jack N’ Diane’s Facebook page has now had “posts by others” disabled – which it was not prior to the date we visited there. Also, they have not posted a thing since mid February. Maybe others have posted about this? Either way, I feel it would be a great idea for JnD to post on their FB page a statement which reads something similar to: If you have visited JnD in the last 30 days, we ask that you examine your credit card statements closely to insure you have not received unexpected charges. If you have, please contact us and let us know when you were here, your bank, and file a report with Greenville PD. We value your security as well as your business, so please know that we are doing everything we can possible to investigate if our systems have been compromised and to fix this!!!!! Don’t hesitate to reach out to us at <phone number to a HUMAN>…
How could this happen? Several ways off the top of my head that credit card data can be obtained from a POS:
1. A simple skimmer attached that obtains every card that is swiped and then the data is either retrieved by the person/s who placed it there, or it may have its own means of transmitting that data – WiFi, GMS, etc.
2. The POS machine can be exploited fairly easily – especially older systems that may be in use at JnD. Some run an insecure version of the now antiquated Microsoft XP Operating System which likely never gets security updates. REALLY easy if that machine is on a public WiFi.
3. If using WiFi – some older systems might not even encrypt the data transfer between terminals and the server – they have been deemed unsafe by PCI regulations and should not be in use.
4. Older systems used a dial-up connection – even slower and more antiquated, but still in use. These could easily be “tapped” physically. Last I checked, no encryption was in use.
5. A plethora of man-in-the-middle type exploits exists for these older POS systems.
6. Who’s to say that the credit card processing company has not been compromised?
That’s just a FEW of the literally dozens of ways this can happen outside of the intentional theft of cards by personnel, and is why PCI compliance audits are performed regularly.
If you accept credit cards at your business – please get an outside source to help with your compliance audits. If you need help with that, call us at 864-990-4748 or use our CONTACT FORM.
If you were the victim of credit card fraud after going to Jack N’ Diane’s recently, or let’s say ANY local merchant, why not RESPOND to this post and tell me about it.
EDIT: 2014-03-11 11:23AM Eastern – Another person in the group has now discovered they were a victim too – 10 people total now.
EDIT: 2014-03-12 01:09 PM Eastern – WYFF has a news segment in which the feature this story HERE.
EDIT: 2014-03-12 2:55 PM Eastern – Jack N’ Diane’s has made a public statement on their facebook page acknowledging that their systems have been hacked and that they are in the process of correcting that now. It should be totally fixed in a couple days.
EDIT: 2014-03-14 2:58 PM Eastern – Another person from our group has been hit, seems we have 13 confirmed.