Credit card details have been stolen in a point-of-sale hack involving Checkers Drive-In Restaurants Inc., the operator of Checkers and Rally’s restaurants in 28 U.S. states and the District of Columbia.

The Tampa, Florida-headquartered company disclosed the hack Wednesday, describing it as a data breach involving 103 locations in 20 states. Without going into great detail, Checkers said that the hack involved malware that had been designed to collect information stored on the magnetic stripe of payment cards including cardholder name, payment card number, card verification code and expiration date.

Indicating that the company was severely slow in detecting the hacks, the time frames for the infection and data theft vary, with some locations being infected with the point-of-sale malware as early as 2015.

As is typical in these cases, Checkers has informed law enforcement, hired third-party security experts and said it’s working with payment card companies in an effort to protect cardholders. That’s little solace to customers, however, who could have had their credit card details stolen for a period as long as four years.

Although difficult to defend the company’s complete ineptitude in taking so long to detect the hack, Checker’s isn’t the first company to be targeted by POS hacking. Previous cases of POS hacking include Huddle House, Forever21 Inc., Whole Foods Market, Chipotle Mexican Grill Inc., Wendy’s Co. and Sonic Corp.

Robert Capps, vice president of business development at behavioral biometrics firm NuData Security, told SiliconANGLE that point-of-sale systems are a prime target for cybercriminals because once they plant their malware, they can easily siphon off credit card information.

“Restaurants and chains must keep a sharp eye out for these intrusions with continuous monitoring and updating patches across the network,” Capps said. “To fight fraud after credit card information has been stolen, restaurants and other hospitality companies offering services in the card-not-present space need to identify customers additionally by analyzing their online behavior combined with hundreds of other identifiers that hackers can’t imitate or steal.”

Jonathan Bensen, senior director of product management and chief information security officer at breach avoidance platform firm Balbix Inc., took particular issue with the fact that some locations were infected going back to 2015.

“The amount of time that passed from when the first restaurant location was infected with the malware to the time the company detected the intrusion is unacceptable,” Bensen said. “Armed with data including cardholder names, payment card numbers, verification codes and expiration dates, malicious actors can make fraudulent purchases and sell this information on the dark web, causing great harm to impacted customers.”

Bensen added that in order to detect POS attacks, companies must take a more proactive approach to cybersecurity. “Employing predictive security tools that employ artificial intelligence is the only practical and efficient way to analyze the millions of data signals that arise from company IT assets to identify vulnerabilities in real-time,” he said. “Leveraging machine learning capabilities, these tools can prioritize the vulnerabilities based on risk and business criticality so that the most dangerous and damaging issues can be addressed first.”

Photo: Michael Rivera/Wikimedia Commons