Cyber Incident Victim: CiCi's Pizza
Date:
Apr 2016
Location:
United States of America
Summary
CiCi's Pizza, a U.S. restaurant chain with over 500 locations, experienced a credit card breach involving compromised point-of-sale systems. Attackers gained access by posing as technical support personnel for the chain's POS provider, Datapoint, using social engineering tactics to install remote access tools like TeamViewer and ScreenConnect across multiple retailers. Financial institutions detected fraudulent patterns on cards recently used at affected locations, prompting investigations. Datapoint denied responsibility, asserting compliance with security standards and attributing the breach to third-party vendor vulnerabilities and store-level authorization of unauthorized support access. The U.S. Secret Service investigated the incident, which coincided with broader concerns about compromised remote-access software. Google flagged Datapoint's website as hacked during this period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2016, multiple U.S. financial institutions detected patterns of fraudulent activity on credit cards that had recently been used at CiCi’s Pizza locations across the country. Over a two-month period leading up to June 2016, fraud investigators from at least six banks contacted cybersecurity journalist Brian Krebs to inquire about a potential breach at the Texas-based restaurant chain, which operated over 500 stores in 35 states. The banks traced the fraud to cards used at various CiCi’s establishments, though the company had not publicly acknowledged any security incident. When Krebs contacted CiCi’s headquarters, he was referred to Champion Management, a third-party restaurant management firm, which redirected inquiries to PR firm SPM Communications. SPM did not provide substantive responses to multiple inquiries. A banking industry source disclosed that the U.S. Secret Service had linked the fraud to a security weakness at Datapoint, CiCi’s point-of-sale (POS) system provider. Investigation revealed that Datapoint’s website had been flagged by Google as compromised due to historical involvement in spam campaigns for counterfeit pharmaceuticals, though the company’s site still listed CiCi’s as a major client.
The breach stemmed from attackers posing as technical support personnel for POS vendors, using social engineering tactics to gain remote access to restaurant systems. According to Datapoint Vice President Stephen P. Warne, hackers contacted CiCi’s locations and other retailers claiming to represent support teams, convincing staff to install remote access tools like TeamViewer and ScreenConnect. Warne emphasized that the breaches affected multiple POS vendors within the same franchise environment, including Harbortouch and Granbury Restaurant Systems, and were not specific to Datapoint’s infrastructure, which he claimed remained PCI-compliant. The Secret Service had reportedly investigated these incidents months earlier but did not publicly confirm Datapoint’s involvement or findings. While Datapoint denied responsibility, the scale of the compromise suggested attackers harvested payment card data from numerous CiCi’s locations by exploiting unauthorized remote access. The incident coincided with broader online speculation about vulnerabilities in TeamViewer, though no direct correlation was confirmed. CiCi’s Pizza did not issue a formal breach notification during the initial reporting period, and the full scope of compromised customer data remained undisclosed.