Vividly demonstrating how wide a range of organizations can be breached by hackers, both the restaurant chain Wingstop and Minnesota’s Metropolitan State University acknowledged data breaches in the past week.
In response to reports of suspicious activity, Wingstop says it retained the digital forensics firm Stroz Friedberg to review the PoS systems at all of its U.S. locations. The investigation found that four of its independently owned and operated franchise locations in Texas had suffered point-of-sale (PoS) breaches during separate time periods in 2012 and 2014.
The company says Wingstop locations in Corpus Christi and Union City, Texas had malware on their PoS systems between June 4, 2014 and July 31, 2014; 20 customer payments cards that had been used at a location in Lubbock, Texas experienced fraud around the same timeframe; and one franchise Grand Prairie, Texas had malware on its PoS system between May 5, 2012 and June 27, 2012, and again between November 11, 2012 and December 9, 2012.
The data potentially exposed includes cardholder names, payment card account numbers and expiration dates.
“In each instance, Wingstop assisted franchisees by immediately removing the Internet-connected POS hard drives and replacing them with new systems,” the company said in a statement. “Wingstop franchisees operate entirely independent POS systems that are neither managed by nor connected to a central location. The investigation of the Internet-connected POS systems has detected no evidence of malware on the systems at any other location.”
All affected customers are being offered 12 months of free identity theft protection services from AllClear ID. Customers with questions are advised to contact (877) 615-3744.
And Metropolitan State University recently acknowledged that that a hacker appears to have breached its Web server in mid-December 2014 and accessed a database containing the personal information of faculty, staff and students. The university hasn’t yet determined who may have been affected.
“We do not believe this server contained any financial data or credit card information, but several databases included employees Social Security numbers,” the university said in a statement [PDF].
“To date, we have established the validity of the claimed attack, disabled the vulnerability that we believe permitted this breach, isolated the risk from other servers, and notified law enforcement,” the statement adds. “The university is also taking additional measures to minimize future security risks.”
Several recent articles at eSecurity Planet have offered advice on how to respond to a data breach, from conducting a security audit to consulting with data privacy counsel.