Back in early June, we reported that Cici’s was investigating a possible data-breach. We can now confirm that this is indeed that case – Cici’s Pizza has a data breach.
Cici’s Pizza, a Coppell TX based restaurant chain, has released a statement about the data-breach.
Protecting Our Guests – All Other States
Jul 18, 2016NOTICE OF DATA BREACH
Cicis values its customers and respects the privacy of your information. As a precautionary measure, we want to inform you that your personal information may have been compromised as a result of a data breach that impacted certain of Cicis restaurant locations. Cicis regrets any inconvenience this may have caused.
WHAT HAPPENED
While this matter is still under investigation, we wish to report what we currently know. In early March of 2016, we received notice from several of our restaurant locations that their Point of Sale (POS) systems were not working properly. Our POS Vendor began an investigation to assess the problem and initiated heightened security measures. When the POS Vendor found malware on the POS software at some Cicis restaurants, we immediately began a restaurant by restaurant data security review and remediation. We also retained a third party cyber security firm to perform a forensic analysis to determine what, if any, information might have been compromised and to verify that all threats have been eliminated. The forensic firm reported its findings on July 19, 2016 confirming that a malicious software program had been introduced by a hacker to the POS system used by some Cicis restaurant locations. The threat of that malware to our restaurants has been eliminated.
WHAT INFORMATION WAS INVOLVED
The report revealed that payment card information may have been compromised from payment cards used at some Cicis restaurants. The vast majority of intrusions began in March of 2016 and the threats were eliminated on a store by store basis through July of 2016. A smaller percentage of affected restaurants had intrusions dating back to 2015. While we believe most of the breaches were remedied within a few weeks of the intrusion, out of an abundance of caution we are not declaring some restaurants as threat-free until they were reviewed by our forensic analyst this month. The following link contains a list of all affected restaurant locations and the dates of potential vulnerability. Not all payment cards used at the affected restaurant locations were compromised; however, some information from some payment cards used in such locations may have been accessed by the malware. No other customer information was compromised.
WHAT WE ARE DOING
As part of our response to this incident, we have notified law enforcement and the state agencies as required by the laws of the jurisdictions in which our restaurants are located, and we will continue to assist with their investigation. The payment card networks have also been informed so that they can coordinate with card issuing banks to monitor for fraudulent activity on cards used during the timeframe in which cards may have been compromised. Cicis continues to monitor and upgrade our systems to keep your information as secure as possible.
WHAT YOU CAN DO
If you used a payment card during the timeframe listed above at an affected restaurant, you should pay particular attention to your payment card statements for unauthorized activity. Any unauthorized activity should be immediately reported to your card issuer because card payment rules generally provide that cardholders are not responsible for fraudulent transactions that are promptly reported.
STEPS YOU CAN TAKE TO FURTHER PROTECT YOUR INFORMATION
CARD STATEMENT AND CREDIT REPORT MONITORINGWe recommend that you protect against payment card fraud and identity theft by carefully monitoring your card statements and by reviewing free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:
Equifax
(800) 685-1111
www.equifax.com
P.O. Box 740241
Atlanta, GA 30374Experian
(888) 397-3742
www.experian.com
535 Anton Blvd., Suite 100
Costa Mesa, CA 92626TransUnion
(800) 916-8800
www.transunion.com
P.O. Box 6790
Fullerton, CA 92834If you find evidence that your payment card data has been misused or that your identity has been stolen, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows:
Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW Washington, DC 20580, 1-877-IDTHEFT (438-4338), www.ftc.gov/idtheft. Complaints filed with the FTC will be added to the FTC’s Identity Theft Data Clearinghouse, which is a database made available to law enforcement agencies.
FRAUD ALERT
You may also want to consider placing a fraud alert on your credit report. An initial fraud alert is free and will stay on your credit file for at least 90 days. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact any of the three credit reporting agencies identified above. Additional information is available at http://www.annualcreditreport.com. If you place a fraud alert with any of the three credit reporting agencies, that agency will inform the other two. There are two types of fraud alerts: an Initial Security Alert, which lasts 90 days, and an Extended Fraud Victim Alert, which lasts up to seven years. You should work with the credit reporting agency to select the alert most appropriate for you. If you select an extended alert, you will have to provide an identity theft report. An identity theft report includes a copy of a report you have filed with a federal, state, or local law enforcement agency, and additional information a consumer reporting agency may require you to submit. For more detailed information about the identity theft report, visit www.ftc.gov/idtheft/.
SECURITY FREEZE
In some US states, you have the right to put a security freeze on your credit file. The freeze will prevent new credit from being opened in your name without the use of a PIN number that is issued to you when you initiate the freeze. A security freeze is designed to prevent potential creditors from accessing your credit report without your consent. As a result, using a security freeze may interfere with or delay your ability to obtain credit. You must separately place a security freeze on your credit file with each credit reporting agency. Additionally, if you request a security freeze from a consumer reporting agency there may be a fee up to $5 to place, lift or remove the security freeze. In order to place a security freeze, you may be required to provide the consumer reporting agency with information that identifies you including your full name, Social Security number, date of birth, current and previous addresses, a copy of your state-issued identification card, and a recent utility bill, bank statement or insurance statement.
OBTAIN ADDITIONAL INFORMATION
You may wish to review the tips provided by the Federal Trade Commission on how to avoid identity theft. For more information, please visit http://www.ftc.gov/idtheft or call 1-877-ID-THEFT (877-438-4338). A copy of Taking Charge: What to Do if Your Identity is Stolen, a comprehensive guide from the FTC to help you guard against and deal with identity theft, can be found on the FTC’s website at http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm.
If you are a NORTH CAROLINA resident: You may also wish to review information provided by the North Carolina Attorney General’s Office on how to avoid identity theft. Their website address is www.ncdoj.gov. Their toll-free number is 1-877-566-7226. Their mailing address is North Carolina Attorney General’s Office, 9001 Mail Service Center, Raleigh, NC 27699-9001.
If you are a MARYLAND resident, you may contact the Maryland Attorney General’s Office at 200 St. Paul Place, Baltimore, MD 21202, www.oag.state.md.us, 1-888-743-0023.
If you are a resident of North Carolina, you may contact the North Carolina Attorney General’s Office at 9001 Mail Service Center, Raleigh, NC 27699, www.ncdoj.gov, 1-919-716-6400.If you are a WEST VIRGINIA resident, you also have the right to ask that nationwide consumer reporting agencies place “fraud alerts” in your file to let potential creditors and others know that you may be a victim of identity theft. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also may delay your ability to obtain credit. You may place a fraud alert in your file by calling one of the three nationwide consumer reporting agencies. Contact information for each of the three credit reporting agencies is listed above.
FOR MORE INFORMATION.
We understand that you may have questions about this incident that are not addressed in this notification. If you have additional questions, please call our dedicated assistance line at (877) 220-1388, Monday through Friday, 9 a.m. to 7 p.m. EST (Closed on U.S. observed holidays) and provide reference number 8771062016 when calling.
This is yet again, another Point of Sale Terminal breach – or POS breach.
Point-of-sale based malware has been the predominant type of credit card breach method used over the past couple o years. Similar breaches include breachs at Target and Home Depot, as well as breaches at a number of point-of-sale vendors affecting multiple food outlets, such as Wendy’s and Noodles & Company, to name just a couple.
The POS malware is usually installed using hacked remote administration tools. Once the attackers have their POS malware loaded onto the credit card terminal or cash register devices, they can and do capture data from each and every card swiped at that POS device.
You should always remember that under law, you are not liable for fraudulent charges on your credit or debit cards, but you must still report the phony transactions. There is no real substitute for keeping a very close eye on your card statements – otherwise you might miss fraudulent charges and simply pay for themm. Please continue to use credit cards instead of debit cards; as once a fraudster has your debit card, they can empty your checking account of funds and cause additional problems, such as bounced checks or charges. Credit cards provide you more protectio from these additional headaches.