“We have been the target of a cyber-attack,” PDQ posted on its website June 22. The chicken chain is the latest restaurant chain to face down a security breach, joining Chipotle, Sonic, Wendy’s, Arby’s, Panera Bread, full-service brand Shoney’s, and others—all brands that have proven prime targets for hackers looking to glean credit card information from guests.
PDQ, which has about 70 locations, said an unauthorized person exploited part of its computer-related system and accessed and/or acquired personal information from some of its customers. “We believe the attacker gained entry through an outside technology vendor’s remote connection tool,” the company said.
Based on an investigation, PDQ says the nearly yearlong breach occurred from May 19, 2017 to April 20, 2018. It learned on June 8 that credit card information and/or some names might have been hacked.
"Hackers are targeting payment and point-of-sale systems with increasing frequency for a simple reason: it’s effective. It’s why we’ve seen similar attacks at restaurants like Wendy’s, Chipotle, Chili’s and Applebee’s, just to name a few," said Scott Schneider, chief revenue officer, CyberGRX, in an email. "No matter how well an organization safeguards its own data, attackers will look for an easy way in. Too often, that’s through a vulnerability introduced by a point-of-sale vendor. Organizations need to develop a real-time understanding of the level of risk exposure every third party in their digital ecosystem introduces, and that’s especially true for a tier-one vendor with access to sensitive information like customer credit card data.”
All PDQ locations in operation during that time period were affected, minus the following stores: Tampa International Airport location at 4100 George J Bean Pkwy, Tampa, Florida, 33607, Amalie Arena location at 401 Channelside Drive, Tampa, Florida, 33602, and PNC Arena location at 1400 Edwards Mill Road, Raleigh, North Carolina, 27607.
According to PDQ, information accessed and/or acquired included some or all of the following: names, credit card numbers, expiration dates, and cardholder verification value.
“However, it should be noted that the cardholder verification value that may have been accessed or acquired is not the same as the security code printed on the back of certain payment cards [e.g., Discover, MasterCard, and Visa] or printed on the front of other payment cards [e.g., American Express)],” PDQ said.
PDQ said it couldn’t determine the identity or exact number of credit card numbers or names affected during the breach.
“If you used a credit card for your purchase at a PDQ restaurant during the breach period, then your credit card number, expiration date, cardholder verification value and or name may have been accessed or acquired by a hacker,” PDQ said.
PDQ said it immediately addressed the situation and stopped the breach when it found out. It initiated an investigation and engaged a cybersecurity firm that conducted a comprehensive forensic review of the attack.
“We reported the breach to law enforcement and continue to work with authorities and state regulators. We have taken steps to further strengthen the security of our systems to help prevent this type of incident from happening again,” PDQ said.
In April, it was revealed that up to 37 million customers could have been affected by information possibly leaked on Panera’s website. Applebee’s faced down a hack of 160 units in March, while in limited service, Jason’s Deli, Arby’s, Sonic Drive-In, Chipotle, Pizza Hut, and Wendy’s grappled with breaches in recent months.