Fifteen
months after DiBella’s Old Fashioned Submarines was notified by the FBI and
credit card companies of a data breach the sandwich shop chain has issued a
notice informing its customers of the incident.
The company
reported its stores in Connecticut, Indiana, Michigan, Ohio, New York and
Pennsylvania may have had the information on as many as 305,000 payment cards
compromised. DiBella’s said it was informed by the FBI and its credit card
firms on August 27, 2018 of the data breach and that Fin7 were the likely
actors behind the attack gaining access to the company’s payment card data and
computer system.
The majority
of the locations were victimized between March 22, 2018 and December 28, 2018
with its Cranberry, Penn. store possibly being hit as early as September 2017.
The customer data involved included individual names, payment card numbers,
expiration dates, and CVV numbers, DiBella’s
stated.
DiBella’s
has not yet returned an SC Media inquiry into why the company waited until now
to disclose the issue.
The company
does not know which individuals were impacted and said it has not received any
customer complaints about their payment cards being misused. But it is warning
anyone who visited the locations in questions to
The leaders
behind FIN7,
aka the Carbanak gang, were caught by law enforcement starting in January and
June of 2018. In August 2018 the U.S. Department of Justice made public arrests
of the three Ukrainian men who allegedly were key players in the cyber gang. However,
the arrests did not stop other members of the gang from continuing their activities.
The security
notice said the malware found on the company’s system ties the attack to Fin7.