With the latest information from the Secret Service that the breach that exposed information from hundreds of credit and bank cards was a single-day hack of a vulnerable Capitol Hill restaurant’s point of sales system, we now have the most complete picture yet of the fraud wave that has hit our area starting in late October. CHS has talked with the agents investigating this case and security industry experts and can now answer the question that continues to come up: Why are the accounts of people who never ate or drank at the Broadway Grill also being hit in this wave?
Secret Service agent Bob Kierstead of the Seattle Electronic Crimes Task Force says the overseas hacker who was able to access the network through a restaurant’s system he won’t name appears to have been able to leapfrog from the restaurant’s access to a critical server in the transaction process where account information was available. “He was able to access numbers off the server going back prior to October,” Kierstead said of the October 22nd breach that surfaced a week later as reports of fraud in the area began piling up. To date, we have tallied more than 200 fraud reports in the Capitol Hill area since the last week of October — and that only counts reports where somebody called police. Another 200+ were reported across the city as a whole in the period.
CHS has reported that personal and business accounts related to Capitol Hill’s Broadway Grill had been compromised along with accounts of a not-yet-known number of customers who ate and drank at the popular restaurant in recent months. But we have heard from many people who believe there must be more to the story because they had also been hit by fraud — but had never spent a dime at Broadway Grill.
These victims did use their credit or bank cards in the area on or before October 22, though. And that is all the hacker needed to add those accounts to the list. According to security experts we spoke with, the nature of the transactions made by the various groups of victims in the Capitol Hill breach indicates that the hacker accessed a server beyond the restaurant’s system somewhere in the transaction processing network.
Avivah Litan, a security analyst with the Gartner Group, said a growing threat is hackers who access a payment network via a weak point, “hop” to a processing server and install malware that either traps transactions or grabs stored information and passes it along to the hacker. “Restaurants are one of the biggest targets,” Litan said. “Restaurants don’t know much about security.”
About the storage of transaction information, Litan said it’s standard procedure for processors to store information for periods of around 90 days to have records for charge-backs. Full records are kept even longer at some points in the processing, she said, but that information is handled differently and is archived in a much tighter security environment.
CHS has not yet been able to identify who operates the server accessed by the hacker through the point of sale system. We have reported that the point of sale service provider is a Maryland company called Action System. In a statement sent to CHS, Action Systems told us their system is compliant with industry security standards.
The Secret Service investigators tell CHS that they believe the hacker did have access to such a processing server. Kierstead said that the task force identified the hole and had the restaurant’s security patched up a week after the initial hack.
“It was a sophisticated hack,” agent Kierstead said. “[The hacker] found an open window into the system.”
Kierstead declined to provide any further details as the investigation continues and, he expects, his team zeroes in on the hacker.
Meanwhile, CHS has learned of a similar breach in Florida involving an unnamed processor based in Washington state.
As for the Broadway Grill, Litan says they are in good company. This morning, officials acknowledged that information for 400,000 credit and bank accounts was stolen in an October hacker attack. The weak point in this one? The computer system of the Federal Reserve. UPDATE: A spokesperson for the Federal Reserve points out to us that while the suspect in this case was arrested with thousands of credit card numbers and is accused of hacking into the Fed’s system, it is believed the stolen information was obtained from other sources, not the Fed.
Litan also thinks this kind of smaller, surgical attack is a sign of things to come as authorities have focused on stamping out massive breaches like the 2008 Heartland attack that exposed 130 million debit accounts. “They’re looking for weak points,” Litan said. “Once you’re in, there’s not much to stop you.”