Capitol Hill credit card fraud wave tied to Broadway Grill

The investigation into more than 100 reported cases of credit card fraud across Capitol Hill has identified a Broadway restaurant as one “point of interest.” Like the victims who have had their bank and credit accounts hit for fraudulent charges in the thousands of dollars, Capitol Hill’s Broadway Grill is also a victim in this wave as personal and business accounts related to the restaurant have been compromised along with accounts of a not-yet-known number of customers who ate and drank at the popular eatery.

We received the following statement from one of the partners behind the Broadway Grill, Matthew Walsh:

We take this issue very seriously and are working with both the Seattle Police Department as well as the Secret Service to find the people who have done this to everyone and have them stopped.


We have gone above and beyond to make sure that our network is completely secure and that this sort of thing can’t happen to any of our customers, there has been no decline in credit/debit card use because of our actions to ensure safety. Not only were our personal accounts compromised but our business savings and operating accounts have also been compromised.

We are a tiny little company trying to manage this huge monster of a restaurant and for someone to swoop in and try to completely wipe our accounts is a really scary thing. I am seriously worried about the future of our business without the support of our community. We have been growing by leaps and bounds since I took over in June, not only in our new menu and food quality but also in our day to day operation. It is my hope that we have touched enough lives over the years to be able to count on our beloved customers for their support and continued patronage in this difficult time.

We do not know yet if Broadway Grill represents the only breached business on the Hill or if investigators have identified others in the area. On Monday, CHS reported that the Secret Service’s Electronic Crimes Task Force had identified and “reduced” the threat  from what the lead agent called a “point of interest” in the Capitol Hill area.

We have checked with Kroger, the parent company for QFC, about any involvement in the investigation. A QFC spokesperson told CHS he ws not aware of any contact between investigators and either of the Broadway stores. “To my knowledge, we have not been contacted by police. When we are, we will work with them,” the spokesperson said earlier this week.

Meanwhile, the situation is widespread enough and people are so wary that large area institutions are dealing with relatively sizable numbers of victims. We talked to Seattle University about a a growing number of Seattle University students and employees who have experience problems with financial accounts in recent days. But Mike Sletten director of public safety for the campus, told us that the cases he is aware of all appear to be part of the Capitol Hill wave. “They all reflect that Capitol Hill theme,” Sletten said.

Investigators will not say how the account information was breached so it is not yet clear what role Broadway Grill’s point of sale technology played in the crimes. We contacted the Grill’s POS service provider, Action Systems, Inc. in Silver Spring, Maryland. While they confirmed Broadway Grill’s involvement in the investigation via phone, their statement sent to us in e-mail does not specify if ASI has been contacted by investigators. Here’s the brief sent to us by ASI director of sales and marketing Craig Bednarovsky:

Since the release of Restaurant Manager™ v15.1 in 2006, all software designed by ASI has been certified as fully compliant with the Data Security Standards (DSS) of the Payment Card Industry (PCI) and has been listed on the official website of the payment card industry:

https://www.pcisecuritystandards.org/approved_companies_providers/vpa_agreement.php

Restaurants using Restaurant Manager v15.0 or earlier have been notified repeatedly that they must upgrade to a more current version of the software before they will be able to operate as a PCI Compliant business.

It is the restaurant’s responsibility to act on these repeated warnings.

It is also important to note there are many requirements for PCI compliance that do not relate at all to point of sale software. Restaurants need to adhere to all PCI requirements in order to ensure the protection of sensitive consumer information.

We’ve asked ASI for clarification about their involvement in the investigation and for information on any other Seattle-area businesses they provide services for.

While her company is not the provider for the Broadway Grill, Jeanie Walker, representative for Seattle-based POS provider Dinerware, tells CHS that breaches like this can happen from the technology side of the process or from the restaurant’s own practices involving payment systems. Walker also said her company has not been contacted by investigators in the Capitol Hill case.

“There are 12 steps to being compliant,” Walker said. “Five are in software, seven are on restaurant side.”

Walker said that holes on the restaurant side can range from failing to make the wi-fi isolated and secure on a separate network from the point of sale system to storing credit card information incorrectly.

We reported on new ownership for the longtime Broadway food and drink provider this June. Matthew Walsh, a onetime Grill server, and CJ Saretto took over the 20-year-old restaurant this summer.

The software side can definitely break down, too. In this article about the Capitol Hill “fraud spree” on a banking security industry site, one security expert says Seattle’s wave has the earmarks of a software hack:

One security expert says fraudster gangs are very often based in a certain city and target merchants in their own backyards, usually in collusion with an employee who skims the cards.

“What’s unusual here is that multiple merchants were compromised, meaning that collusion is unlikely, and, therefore, skimming is also unlikely,” says Tom Wills, a senior fraud analyst at Javelin Research. While details are still not known, Wills speculates that a local Seattle-based gang may have performed a “Gonzalez-style” point-of-sale hack, referring to Albert Gonzalez, the masterminded behind the Heartland Payment Systems breach (among others).

Branden Williams, director of the Security Consulting Practice at RSA, the security division of EMC, says it appears this fraud is “indicative of the smash-and-grab-type mentality,” during which the objective is to net the largest amount of money in the quickest timeframe, “and get out before you leave too many clues about who you are.”

While the number of reports made around Capitol Hill seems to be massive in scale, there are examples of a similar sized waves being tied to a single restaurant. In September, investigators determined that hundreds of credit card fraud cases were tied to the computer system at one Roseville, California restaurant:

Hundreds of local cases in which thieves have collected credit-card numbers and used them to fraudulently make purchases have been traced to customers who frequented one Roseville restaurant, police said today.

Roseville police said that hundreds of credit-card numbers were compromised at Paul Martin’s American Bistro.

Detectives believe that the problem is isolated to computer systems at the restaurant’s site, 1455 Eureka Road, and “did not involve the external financial services network or any third-party data processing service,” according to a police news release.

The cyber criminals who perpetrated the fraudulent credit-card activity are not known and could be operating anywhere in the world, police said.

The California restaurant remains open after bringing in a security consultant to make sure their business was operating safely.

For now, Broadway Grill stands by itself as the only Capitol Hill business we have connected to the credit card problems. Is it alone on the Hill and in the city in being hit with this kind of threat? Unlikely. Given the mechanics of these crimes, there are other Broadway Grills out there in Seattle and beyond right now. Capitol Hill, as usual, leads the way. It seem likely others won’t be far behind.

117 thoughts on “Capitol Hill credit card fraud wave tied to Broadway Grill

  1. It’s funny, earlier in the week, commenters were complaining that the blog writer requested that businesses where victims used their cards not be named, thus giving us no info about suspects. And now people are complaining that a business that is definitely implicated has been named!

    Look, Bway Grill is a victim, but they may also bear some culpability, because they apparently chose to use an unsafe transmission process. They are less a victim than the customers who had no idea they were handing their cards over to someone who was leaking numbers into cyberspace.

    I guess I am naive, but I didn’t know that businesses just used the Internet to transmit cc numbers. I NEVER use cc’s, bank account numbers, or SSN online. I thought I was protecting myself this way, by shopping at real stores rather than online. Turns out, it’s the same difference! I will be educating myself about these processes, and asking questions of the businesses I shop at. I hope others will do the same. Businesses will only improve these systems if consumers are informed and require them to.

  2. I was hit. thankfully my institution denied the charge. Interestingly enough, I’ve been on a ship since August 6. I don’t use that particular card very often but both The Grill and the QFC were on my statement. Hope they catch the bastards.

  3. - Does the restaurant use any online banking, and if so, when was the last time they changed their password to log in.

    - Were our Russian guests who turned out to be spies possibly involved in installing a skimming device or sniffing passwords / cc’s . Reason I ask is quite often all roads lead to Russia when dealing in CC fraud on a large scale. We know this attack is large scale, with many dupes around the country using stolen CC to purchase merchandise then ship it out. Just a thought.

    - PCI recommends you patch to the vendors specification. But it probably stopped short of issuing fines for not doing so. Broadway Grill’s owner sounds like a typical clueless “we didnt do anything” non technical person. Well of course you didnt — Thats the point. If the business was using outdated restaurant management software, it very likely could be the way the attacker compromised. Or a network where CC was transferred in the clear or mixed with a wifi / public accessable network.

    As a long term resident of the Hill I will continue to patronize Broadway Grill. And I will probably pay with cash. :)

  4. My card was just used today and i have never eaten at the BWG using that credit card. In the past two weeks i have been to 6 Local buisnesses on Capitol hill where i used my card.

    QFC
    Picture Framing on Broadway
    Blick Art Supply
    The Cuff
    R Place
    The Lobby

  5. Clearwire uses private frequencies and ODFM to provide security – or so they claim.

    ODFM + private frequencies are not security. ODFM is obfuscation, which means some decoding would have to be done, but compared to real encryption that it is trivial. It is like saying since DSL uses multiplexing you cannot tap it. That is not true either – it may take some work, but it is definitely doable.

    The network engineer is correct – sniffing Clearwire is indeed possible. Assuming the Russian mob is responsible for this, they easily have access to resources to do this.

  6. I love the site/blog….its great to have something keeping us informed about the community we live in.

    But I have a couple suggestions. I apprecaite being aware of this issue but the positioning of it is somewhat alarming. The article specifically focuses on one particular business but parts of the article seem intent to make this a bigger, scarier issue than it should be or really is. In the grand scheme of credit card volume, this sort of issue on this scale is no where close to being pandemic and I think the article could have easily been geared towards creating calm instead of leaning more to creating fear or worry. Also the article doesn’t leave the reader with any common tips or reassurance and could have easily done so. You could have made consumers aware that they would not be liable to fraudulent activity like the one the article references…not where the breach of security or lack of diligence happened outside of their remit/control. You could have also made reassurances relative to the volume of credit card activity that takes places in the Capitol Hill area versus the number of fraud cases. Then we would all see that this is a kind of a small in scope given the shear size of every day use of credit cards. Today I got an email, that had already be extensively passed around (likely to recipients living on the Hill) that basically said DON’T use your credit card on or around Capitol Hill. The email went on to frame a pandemic around fraud on the Hill and I found this very worrisome. Only then did I find your article on the web (after getting the email) so I wanted to make you very aware of the impact (and responsibility) you have on our community. I’m very aware of how media often chooses to represent the bad news more often than the good but I’m hoping that on the Hill (in Seattle) we operate a little outside of the box. The email I received was worrisome because what will happen is that consumer (the readers of that email and of your article) may very well be resolved to simply not spend their money on or in Capitol Hill based on a fear of this perceived “epidemic” and this would be very bad for our community….for those of us that live in this area. I’m not a business owner but I’m well aware of the ecomonic structure that makes our community interesting and successful…so I think better care should be exercised in reporting on negative aspects of our community. I’m not asking for these sort of subject to be avoided only to make sure that we keep perspective and not fall into a routine of reporting from a single perspective. You are in a unique position to offer up multiple perspectives where a lot of us have trouble in creating (as readers) at times…so a reminder is always helpful. I have about 10 years of experience in banking, credit cards and several years specifically in fraud and forgery….so I am relatively aware of the scope and scale of this and it is incredibly small and not usual. If it were a bigger issue the credit cards would finally exercise a method to reduce it …like switching to a Pin and Chip format that is widely used in many other parts of the world and has significant impacts in fraud reduction. They are however, not financially interested at present and our government doesn’t feel the need to better protect this personal instrusions into our lives, so for now, fraud is something that…well “just happens”. :) thanks guys…really loving what your doing!!

    Jeff

  7. Also, just as an example…the article focuses on one very focused possible breach or area where the fraud may have originated…but the title of your article frames something much much bigger in an alarmist way. I think we all have enough to worry about in these very tough economic times than to feel like we face vicitimization everywhere we use our credit card or that the community we live/play in is unsafe. I think the framing of this article has and is working against our community more than for it.

  8. It’s not the Grill…While I don’t like the Grill, I am certain it’s not them. I have not been there in almost a year! It’s the QFC in the Broadway Market. I don’t use my card much and that’s where I use my card.

    I’ve had some friends who also got hit and that’s the only place we have in common.

  9. Yes, the only time I was on the Hill in the last 3 months was at the Broadway Grill, 9/21/10 – only time I used my card in that area.
    Just had three charges in Italy on my card last week. :(

  10. I had my debit card compromised after using it at Table 219. This was a week ago last Sunday. Nov 7 I used my credit card at Broadway Grill and have not heard anything yet from my bank. If you are told that STD solutions has attempted to use your card be advised that STD solutions is a sex line. BOA gave me their number and I called getting a recording asking if I wanted to talk to “hot girls” and then gave me another 800 number to call. Not even a gay sex line, and all this happening on Capital Hill. Sort of funny if it was not so serious of a problem.

  11. Hello. I am a Seattle resident, but I must first and foremost note that I am a DC native and have spent a great amount of time in Montgomery County, Maryland. I must therefore object to this article. There is no such town as “Silver Springs, Maryland”. That is “Silver Spring”. Silver Spring, Maryland. Home of the Discovery Channel. Thank you.

  12. I realize I am late in commenting on this but just recently had fraudulent charges on my debit card from an ATM so apparentlyy they are now able to get pin #’s (my card was in my possession the whole time). The only place on the hill I have used my card is at the QFC. I called to report the incident and they asked about Broadway Grill. I have never been there and I also have 4 other friends who live on the Hill who were victims and the only place they used their card was QFC.