Cyber Incident Victim: Yellowfront Grocery
Date:
Aug 2015
Location:
United States of America
Summary
Yellowfront Grocery experienced a point-of-sale breach involving RAM-scraping malware deployed through compromised credentials of its POS provider, CSTARS of Maine, allowing attackers to intercept payment card data before encryption. The compromise exposed Track 2 data, including card numbers and expiration dates, but no cardholder information. Two financial institutions collectively replaced approximately 3,000 payment cards due to fraudulent activity linked to transactions occurring over a multi-week period. The store owner confirmed system remediation and collaboration with federal investigators and the POS provider to address the incident, while acknowledging reports of fraudulent card usage stemming from the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 16, 2015, Yellowfront Grocery in Damariscotta, Maine, publicly disclosed a point-of-sale (POS) breach via a Facebook notification, later elaborated through statements by store owner Jeff Pierce and CSTARS of Maine, the store’s POS software provider. The compromise occurred between August 11 and October 16, 2015, with attackers deploying "RAM scraper" malware on CSTARS of Maine’s systems to intercept payment card data before encryption. CSTARS attributed the initial access to compromised LogMeIn credentials, which allowed unauthorized entry into Yellowfront’s payment environment through the provider’s infrastructure. Pierce confirmed payment card numbers were definitively stolen but expressed uncertainty about additional data exfiltration, while CSTARS clarified that only Track 2 data—card numbers and expiration dates—were compromised, excluding cardholder names or addresses. The breach impacted customers who transacted at Yellowfront during the two-month window, prompting First Bancorp and Damariscotta Bank & Trust to collectively replace approximately 3,000 payment cards as a precautionary measure.
Yellowfront Grocery collaborated with the U.S. Secret Service and CSTARS of Maine to investigate the incident, with Pierce asserting that the store’s systems had been secured post-breach. Local financial institutions reported no confirmed fraud cases directly linked to the breach at the time of disclosure, though Pierce acknowledged receiving anecdotal fraud reports from affected customers. Authorities advised vigilance for unauthorized transactions on cards used at the store during the exposure period, with Pierce explicitly recommending card replacements regardless of detected fraud. The breach underscored systemic vulnerabilities in third-party POS provider security, particularly the exploitation of remote access credentials to deploy memory-scraping malware. No further compromises at other CSTARS-affiliated stores were confirmed in the available reporting, though the incident prompted scrutiny of interconnected POS network security practices.