Service Systems Associates, a company that serves gift shops and eateries at zoos and cultural centers across the United States, has acknowledged a breach of its credit and debit card processing systems.
Several banking industry sources told KrebsOnSecurity they have detected a pattern of fraud on cards that were all used at zoo gift shops operated by Denver-basd SSA. On Wednesday morning, CBS Detroit moved a story citing zoo officials there saying the SSA was investigating a breach involving point-of-sale malware.
Contacted about the findings, SSA confirmed that it was the victim of a data security breach.
“The violation occurred in the point of sale systems located in the gift shops of several of our clients,” the company said in a written statement. “This means that if a guest used a credit or debit card in the gift shop at one of our partner facilities between March 23 and June 25, 2015, the information on that card may have been compromised.”
SSA said it has been working with law enforcement officials and a third-party forensic investigator, Sikich, to investigate the breach.
“Though the investigation into this attack continues, the malware that caused the breach was identified and removed,” the statement continued. “All visitors should feel confident using credit or debit cards anywhere in these facilities.”
The company declined to name the individual locations that were impacted by the breach, but financial industry sources say the breach likely involves SSA concession and gift shops at zoo locations in at least two dozen cities, including:
San Francisco, Calif.
Colorado Springs, Colo.
Palm Desert, Calif.
Fort Wayne, Ind.
Battle Creek, Mich.
Apple Valley, Minn.
El Paso, Texas
Salt Lake City, Utah
Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.
Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.
In October 2015, merchants that have not yet installed card readers which accept more secure chip-based cards will assume responsibility for the cost of fraud from counterfeit cards. While most experts believe it may be years after that deadline before most merchants have switched entirely to chip-based card readers cyber thieves no doubt well understand they won’t have this enormously profitable cash cow around much longer, and they’re busy milking it for all it’s worth.