Cyber Incident Victim: Compass Group PLC
Date:
Feb 2015
Location:
United States of America
Summary
A food service management company experienced a malware compromise affecting point-of-sale systems at three U.S. locations, exposing customer payment card information including names, card numbers, expiration dates, and security codes. The breach impacted self-service kiosks at specific California sites, though no other company locations were confirmed as compromised. Malware was removed from infected terminals, and the incident was contained. While no evidence confirmed data exfiltration, the company offered affected individuals complimentary identity protection and credit monitoring services for one year as a precautionary measure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2015, Compass Group, a major food service management company operating self-serve kiosks and vending machines across corporate, educational, and public venues in the US and Canada, experienced a cybersecurity breach impacting point-of-sale (PoS) systems at three specific US locations. Between February 2 and March 9, 2015, malware compromised payment terminals at dining facilities located at 450 American Street in Simi Valley, California; 1800 Tapo Canyon Road in Simi Valley, California; and 375 Trimble Road in San Jose, California. The malware harvested customers’ payment card data during transactions, including cardholder names, card numbers, expiration dates, and card verification values (CVV). The exposure of CVV codes represented a significant violation of Payment Card Industry Data Security Standards (PCI DSS), which explicitly prohibit merchants from storing this sensitive authentication data. Compass Group confirmed the breach was isolated to these three locations, with no evidence of compromise at other sites. The company estimated the incident affected customers who conducted transactions during the 36-day window at the specified venues.
Compass Group responded by disabling the compromised PoS terminals, removing the malware, and implementing containment measures to prevent further data exposure. The company publicly disclosed the breach via a media notice and California Attorney General’s Office filing, though it stated investigators found no evidence confirming data exfiltration by attackers. Despite this uncertainty, Compass Group notified affected customers and offered one year of complimentary identity protection services, including credit monitoring, to mitigate potential fraud risks. Customers were advised to review bank statements and credit reports for unauthorized activity and to contact financial institutions if suspicious transactions occurred. The company emphasized that its remediation efforts had secured the impacted systems but did not disclose technical details about the malware’s operation or initial infection vector. No additional compromises were reported following the containment actions.