The Penn Station East Coast Subs submarine-sandwich restaurant chain says 59 of its 238 locations are now “potentially affected” by a debit and credit card data breach. Parent company Penn Station Inc. first said when it disclosed the breach June 1 that 43 franchisee-owned stores possibly were affected, but the company added 16 more on Tuesday.
n
How much fraud, if any, has occurred on potentially compromised cards is unclear. The company, based in the Cincinnati suburb of Milford, Ohio, refuses to comment beyond a press release and the sparse information that it posted on its Web site. Most Penn Station restaurants are in Ohio and adjacent states.
n
Penn Station did say that cardholder names and “credit and debit card information,” presumably meaning at least account numbers, have been accessed. With debit cards, however, the company processes only signature-based payments and does not collect PINs.
n
In a question-and-answer section about the data breach on its Web site, Penn Station gives no clue about how or when it learned of what it calls “unauthorized access” at some of the restaurants. The company called in outside investigators who have determined that access to card information apparently started at the beginning of March. Penn Station urged anyone who visited one of the affected stores from then until the end of April and paid with a credit or debit card to watch for signs of possible fraud.
n
Penn Station also said that after learning of the breach the owners of the affected restaurants “took prompt steps to implement changes to the method for processing credit and debit cards at each restaurant to stop the possible unauthorized access. These changes were made at ALL Penn Station restaurants, and included restaurants even where there was no evidence of possible unauthorized access.” The company gave no details about the processing procedures or how they were changed.
n
A man who answered the phone at a Penn Station restaurant on the list of affected stores said when contacted by Digital Transactions News that he didn’t think his store actually was hit. “They said we were O.K.,” he said, refusing to talk further.
n
The publication Bank Info Security identified Penn Station's processor as Princeton, N.J.-based Heartland Payment Systems Inc. A Heartland spokesperson said the company has no comment. Heartland, which has a large portfolio of restaurant merchants, in early 2009 reported a massive breach of its own processing system.
n
Penn Station said it has informed federal law-enforcement authorities about the breach. The list of affected restaurants, which the company said it would update if needed, can be found through this link.
n
Security analyst Julie Conroy McNelley at Aite Group LLC says by e-mail that, “This further highlights the extent to which merchants are being targeted as the weakest link in the chain, and highlights the importance of continuing to expand the use of technologies such as tokenization and end-to-end [data] encryption.”
n
Meanwhile, the Albany (N.Y.) Times-Union newspaper reported Tuesday that Trustco Bank is suing several franchise owners of Five Guys Burgers and Fries restaurants after its MasterCard cardholders who paid for purchases last November and December at four area Five Guys locations were hit with nearly $90,000 in fraud in 376 transactions. A Five Guys spokesperson told the newspaper that a security breach affected other card brands, not just MasterCard. Among other claims, Trustco is seeking more than $14,000 to close affected accounts and reissue new cards. The U.S. Secret Service is investigating the breach.
n
Merchants aren’t the only ones being hit by data hackers. The big merchant processor Global Payments Inc. in late March reported a breach that it said affected fewer than 1.5 million cards, though some press reports claim the breach may be bigger and started earlier than Global initially reported.