Cyber Incident Victim: Dickeys Barbecue Pit
Date:
Jul 2019
Location:
United States of America
Summary
A US barbecue restaurant chain experienced a point-of-sale system breach impacting over three million payment cards, with stolen data subsequently posted on a criminal carding forum. The compromised magnetic stripe card details originated from 156 of the chain's locations across 30 states, predominantly affecting customers in California and Arizona. Security researchers identified the breach after criminals advertised the card records under the "Blazing Sun" label, with financial institutions confirming the data's validity. The affected organization initiated an investigation with third-party experts, law enforcement, and payment card networks while emphasizing that customers reporting unauthorized charges promptly wouldn't be liable for fraudulent transactions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Dickey's Barbecue Pit payment card breach occurred between July 2019 and August 2020, impacting 156 of the chain's 469 U.S. locations across 30 states. Hackers compromised in-store point-of-sale (POS) systems to steal payment card data, with California and Arizona experiencing the highest concentration of affected restaurants. Cybersecurity firm Gemini Advisory discovered the breach in October 2020 when cybercriminals advertised a dataset named "Blazing Sun" containing over three million payment card records on the Joker's Stash carding forum. Financial institution partners independently verified the stolen data originated from Dickey's locations. The compromised records primarily consisted of magstripe card data, which criminals sold for a median price of $17 per card due to its outdated technology and reduced security compared to EMV chips.
Upon notification of the potential breach, Dickey's initiated response protocols and launched an investigation to determine affected locations and timeframes. The company engaged third-party specialists with experience handling similar restaurant breaches and coordinated with the FBI and payment card networks. In its public statement, Dickey's emphasized that card network rules typically protect customers from liability for timely-reported unauthorized charges. The breach exposed payment card details from transactions spanning more than thirteen months before being detected through external marketplace monitoring rather than internal security systems. No specific containment measures or system remediation details were disclosed in the initial report.