ANNOUNCEMENT FROM GULLIFTY'S RESTAURANT
On February 20, 2017, Saranolt Inc., t/a Gullifty's Restaurant, received notice from their point-of-sale provider, 24x7 Hospitality Technology, LLC, of a potential data breach security incident. An external cyber security firm conducted an extensive forensic analysis of 24x7 Hospitality Technology's network and concluded, that as a result of a sophisticated network intrusion, an unauthorized third party gained access to some customer systems. Due to the installation of malicious software, payment card data including name, payment card number and expiration date; could be at risk. Although an unauthorized third party may have had access to the payment card data, our investigation has been unable to determine whether or not any of that information actually left our system.
We do know that the system intrusion took place from 10/28/2016 to 1/10/2017 after which time the malware was identified, contained, and eradicated from Saranolt, INC.'s Point of Sale System. Since the resolution of this threat, 24x7 Hospitality Technology now runs daily AVG scans to minimize recurrence of any malware intrusions. In addition, Saranolt, INC. has conducted an intense analysis of current and alternative software providers and has selected a new vendor to ensure that we provide the most secure environment possible for our customers.
If you have any questions, please review our FAQ section below.
Questions & Responses:
- What happened?
When did Saranolt Inc., t/a Gullifty's Restaurant find out about this breach?
- Our Point of Sale (POS) system provider, 24x7 Hospitality, Technology, LLC, had a security breach of their network.
- As a result, the security of their client's networks were put at risk.
- Multiple customer systems had the PoSeidon malware variant executed on their POS systems.
- This malware may have enabled credit card data to be extracted prior to encryption.
- Since this occurred within our POS provider's system, we have no way of knowing if any of this data was actually extracted.
- Saranolt, INC first found out about this problem on February 20, 2017 when we received a letter from 24x7 Hospitality that was dated February 13, 2017.
- The letter stated that it was a follow-up to a January 11, 2017 correspondence from 24x7 alerting us to a potential data security breach
- We have no record of receiving said correspondence even though Deanne Deirmenjian of 24x7 stated that their records indicated it was sent via email to email@example.com, Eugene Johnson's email address.
Why didn't I get a letter or other notification/why did I hear about this from the media?
Why are you notifying customers and the public about this?
- We tried to get the names of our impacted customers from our POS provider, our credit card processing company, and the credit card companies themselves. Despite our tireless efforts, none of these entities had, or were willing to provide, the information necessary to contact individuals potentially impacted by this situation. Payment card information does not include address.
- Upon consultation and receiving guidance from legal counsel, all parties agreed that the best and most effective way to let people know about this incident was to provide public notice to the media, post an announcement at Gullifty's Restaurant and on Gullifty's webpage.
Why did you wait so long to notify me?
- We are committed to protecting the privacy and personal information of every one of our customers and want to simply inform you of this vendor-caused situation.
- Because there is no way of knowing if any information was actually extracted through the malware variant, and since none of our customers have reported any problems, we would like to verify and confirm that this situation has not caused an inconvenience for any of our customers.
What kind of data was compromised?
- Under the circumstances, we moved as quickly as we reasonably could.
It took us some time to receive the details of the scope of the incident with the POS provider, 24x7 Hospitality, Technology, LLC.
- Our preference was to notify each one of our customers individually of the potential concern. As there is no established protocol for informing customers in situations such as this, a great deal of time and effort was spent trying to find a way to personally notify our customers about the security breach which may have compromised their credit card information.
- These efforts included but were not limited to: working with our POS provider to ascertain the complete capabilities of our systems and the willingness of 24x7 hospitality to assist in mitigating the effects of the intrusion, contacting our credit card processor, exploring options to work directly with the credit card companies, contacting people with POS security expertise to evaluate our options, and obtaining legal counsel to provide guidance through the situation. Our goal was to have the respective credit card companies issue all potentially affected customers new cards. We were unable to achieve that goal.
Do criminals have access to the lost/stolen data?
- We have no way to know if Track 1 data, Track 2 data or both were compromised by the malware variant.
- The card reader did include both Track 1 data and Track 2 data.
- Track 1 data: primary account number, name, expiration date, discretionary data (determined by the card issuer and may include card code and/or PIN)
- Track 2 data: primary account number, expiration date, discretionary data (determined by the card issuer and may include card code and/or PIN)
- This could include name, account number and expiration date.
- The data does not include the account holder's address.
- The breach only concerns payment card transaction between 10/28/16 and 1/10/17.
How many people were affected by the data breach?
- The person/people that inserted the malware into the database of 24x7 Hospitality, LLC, did so without permission, which could have enabled data to be sent out to an unauthorized location.
- There is no way of knowing if data was actually sent to an unauthorized location via the malware variant.
Was the data encrypted?
- Based on information provided to us, as many as 10K transactions could have been impacted. However, due to repeat visits by our loyal customers we know the amount of actual cards impacted is significantly less, though we do not know an exact number.
- The data sent to the credit card processing company was encrypted.
- There was a millisecond of time between the card swipe and the encryption process when the data was susceptible to capture by the malware variant.
- Has the missing data been misused?
Is there a police investigation?
- We are not aware of any instances of misuse of data; however, monthly statements should be reviewed for unrecognized or unauthorized transactions.
- To our knowledge, Saranolt, INC., has not been identified as a common point of purchase (CPP) in any fraud investigations.
What steps has Gullifty's taken to assure that there will be no future data breaches.
- We are not aware of any current police investigation.
- 24x7 Hospitality Technology now runs daily AVG scans of Gullifty's POS system to minimize any chance of future malware intrusions.
- Gullifty's Restaurant has conducted a rigorous analysis of alternative software providers and has selected a new POS system provider with state of the art security capabilities.
Identity Theft Concerns
- I am concerned about identity theft, what can I do?
- There are steps you can take. Since the information that was taken did not include personally identifiable information, such as social security number, the risk of identity theft is extremely low.
- We suggest that you regularly review your monthly statements that you receive from your payment card issuer.
- If you see ANY purchase/transaction that you believe you did not authorize, please contact your payment card issuer at the number on the statement immediately.
Please accept our sincere apologies for any inconveniences or concerns you may derive from this unfortunate situation. Any additional questions or concerns you have regarding this issue can be directed to:
Eugene L. Johnson
President, Saranolt, INC.
1149 Lancaster Avenue
Rosemont, PA 19010