ITHACA, N.Y. — DiBella’s Sub Shops has announced that hundreds of thousands of customers, including those in New York, may have had their payment information stolen in what the company is describing as a sophisticated cyberattack.
In August of 2018, the FBI and major card brands notified DiBella’s of a potential compromise of customer payment card information processed at some DiBella’s locations.
“According to law enforcement, the sophisticated cybercrime syndicate, FIN7, was behind the attacks and had worked to potentially gain access to payment card data on our store information systems,” reads a statement from the Rochester-based sandwich chain. “Since then, we have fully cooperated with the FBI and U.S. Secret Service and the payment card brands to properly assess the scope of the incident and take steps to mitigate any potential harm.”
Due to the sophistication of FIN7 and the complexity of the attack, DiBella’s, after contracting a forensics firm, were not able to immediately identify the cause of any compromise. After several months, the forensics investigation team found malware in DiBella’s payment system that could have enabled the theft of customer’s payment card data, according to the company. DiBella’s immediately took steps to remove the malware with the help of cybersecurity experts and in cooperation with the FBI.
Also due to the level of sophistication involved in the attacks, the company has “no means by which to identify specifically which individual cards or cardholders may have been compromised.”
“We only know that cards used at some of our stores in Connecticut, Indiana, Michigan, Ohio, New York and Pennsylvania between March 22, 2018, and December 28, 2018, may have been at risk. In the case of stores in Cranberry, Pennsylvania, it is possible cards used between September 2017 and December 29, 2018, could be at risk,” says the statement.
DiBella’s believes the breach affected as many as 305,000 payment cards but says there is no way of knowing for sure.
As to why they are disclosing the breach now, DiBella’s says they were given the clearance by law enforcement to inform their customers.
“This was an unfortunate incident to be involved with and while we certainly wish we could have notified customers earlier, law enforcement advised us that any such disclosure could compromise ongoing investigations,” said Peter Fox, president of DiBella Sub Shops. “In an effort to ensure to the best of our ability that this never happens again, we have also updated all of our point of sale systems in every restaurant and have upgraded all internal computer security.”
DiBella’s recommends that you review your financial statements from the timeframe mentioned to see if there are any discrepancies. If you do believe that your information was stolen and used, they recommend that you contact your card issuer for assistance.
For more details about the data breach, DiBella’s has set up a page on their site dedicated to the breach that can be found here.