Cyber Incident Victim: B&B Theatres

B&B Theatres, the seventh-largest theater chain in the U.S., experienced a credit card breach spanning approximately two years, as confirmed in July 2017 after KrebsOnSecurity contacted the company based on financial industry alerts. The breach timeline was initially reported by credit card associations as occurring between September 1, 2015, and April 7, 2017, but updated advisories later extended the window to April 2015 through April 2017. Financial institutions received alerts from credit card brands listing compromised cards tied to B&B locations, though these alerts typically withhold merchant names, requiring banks to identify common purchase points independently. The company, headquartered in Gladstone, Missouri, with 50 locations across nine states and approximately 400 screens, stated it was first notified of potential issues by a local banking partner before engaging cybersecurity firm Trustwave to investigate. Trustwave identified malware on B&B systems dating to 2015 but concluded the breach did not expose customer data across all systems for the entire two-year period. B&B’s public statement emphasized that Trustwave’s investigation contained the breach to the satisfaction of credit card brands and payment processors, though no technical details about containment methods were disclosed. The company committed to implementing "the latest available technologies" to enhance future security but did not specify whether these included chip-card processing systems, despite industry liability shifts in 2015 that penalized merchants without chip-reader capabilities for fraudulent mag-stripe transactions.

Attackers infiltrated B&B’s point-of-sale systems, deploying malware designed to harvest magnetic stripe data from credit and debit cards, enabling criminals to clone cards for fraudulent purchases. The prolonged breach duration—attributed by one financial industry source to undetected malware persistence—resulted in some compromised cards overlapping with prior breaches, leading to preemptive cancellations and reissuance by banks. B&B’s response included internal IT resources collaborating with Trustwave, though the company did not disclose whether forensic analysis revealed how attackers initially gained access or maintained persistence. While the statement asserted customer data security as a priority, it omitted details about the number of affected patrons, geographic concentration of compromised locations, or specific point-of-sale systems targeted. Financial institutions absorbed costs from fraudulent transactions linked to the breach, with liability implications influenced by B&B’s potential non-compliance with chip-card processing requirements. The incident highlighted ongoing challenges in securing legacy magnetic-stripe systems amid the U.S. payment industry’s delayed transition to EMV chip technology, a context underscored by KrebsOnSecurity’s reference to related reporting on EMV adoption barriers. No customer lawsuits or regulatory penalties were mentioned in the source material as immediate consequences of the breach.