back to article While you filled your face at Noodles and Co, malware was slurping your bank cards

American fast-food chain Noodles and Company says malware got into its sales registers, allowing it to slurp customers' payment card numbers. The biz admitted today that hundreds of restaurants in 28 US states were infected with card-stealing software nasties that harvested customer card names, numbers, expiration dates, and …

  1. a_yank_lurker

    How?

    Has anyone indicated how the infection occurred? Often, they are preventable by proper security practices (aka do not act like Target).

    1. joed

      Re: How?

      Why?

      Have they kept any information besides the CC number? To make hackers more happy?

      1. Goopy

        Re: How?

        RTFM

    2. Baldy50

      Re: How?

      At a black hat conference a couple of years ago it was shown that a POS card reader could by using a payment card carrying malicious software get infected.

      The baddy buys something and then at the end of the day goes and buys something else and all the card info of the sales for that day are then stored on the payment card used.

      No red flags raised, only infecting one POS terminal and depending on the malware in question could trickle down to the rest of the network.

  2. Mark 85

    Seriously?

    So they take security seriously... and it took a card processor after several months to tell them they had a problem? I guess in light of all the breaches were "security is taken seriously", we need to re-define the word "seriously".

    1. ecofeco Silver badge

      Re: Seriously?

      I think the word you are looking for is "liar."

  3. ma1010
    FAIL

    Probably management

    The usual situation anyone in IT is used to. "We need to spend $X so we can secure our systems."

    Then the beancounters and management say "No, we need to cut expenses." Then something like this happens.

    So how much is THIS little fiasco going to cost the company? Lost sales from people avoiding the place? Lawsuits? Enjoy!

    1. Ian Michael Gumby
      Boffin

      @ma1010 ... Re: Probably management

      Actually the conversation goes more like this...

      IT Guy: "Its going to take $$$X to secure our systems from a possible attack"

      Bean Counter: "Well why should we spend $$$X when we estimate we'll lose $$Y?"

      Bottom line, the bean counters won.

      Now post Target (department store that was hacked), the actual loss may be $$Y. But the loss in revenue/sales is $$$$Z as well as good will and now exposure from lawsuits.

      To add to this... because they are still on mag stripes and have not moved over to CHIP & SIGN, they are liable for the losses.

      This little fiasco will cost the company a lot. They will file for bankruptcy protection and may not survive.

      1. Another User

        Re: @ma1010 ... Probably management

        I doubt that Noodles Co will face the bill. Its reputation was a little bit damaged but next quarter it is all forgotten.

        Other companies incurred a damage where the stolen credit card data was used. But as you correctly state these companies still use mag stripes and are therefore liable for their own losses.

      2. Goopy

        Re: @ma1010 ... Probably management

        No, chip & Sig. Fail liability does t kick in until October er 15th, shut up.

  4. Emmeran

    Cash and carry

    Cash and carry folks, insta-payment just isn't worth the risk.

  5. ecofeco Silver badge

    Tell me another one

    "Noodles & Company takes the security of our guests' information extremely seriously"

    No you don't.

  6. Florida1920
    Childcatcher

    As opposed to UNREAL food?

    Our menu has REAL Food, cooked just the way you like it. Want extra cheese on your Penne Rosa? How about spinach in your Japanese Pan Noodles? No problem. Each dish is cooked to order. So go ahead, get creative. The possibilities are endless!

    Noodles & Company Menu

    How about a big debit in your bank account? No problem.

  7. I am not spartacus

    Optional

    "Researchers say that POS malware infections are "epidemic" throughout the retail world"

    I'll just point out that more than one set of words can be abbreviated to POS although maybe PoS is more correct. That's all.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like