Incident: Credit Card Information Breach at Eataly's Flatiron Food Hall

Published Date: 2015-06-10

Postmortem Analysis
Timeline 1. The software failure incident at Eataly, where hackers breached their payment processing system, occurred in the "last month" before the article was published on June 10, 2015 [37126]. Therefore, the software failure incident at Eataly happened in May 2015.
System 1. Payment processing system at Eataly's store in the Flatiron district of Manhattan [37126]
Responsible Organization 1. Russian-speaking cybercriminals were responsible for causing the software failure incident at Eataly and other small businesses [37126].
Impacted Organization 1. Customers of Eataly's Flatiron food hall [37126]
Software Causes 1. Malicious software unleashed into Eataly's payment processing system by hackers, enabling them to potentially steal customer credit card information [37126].
Non-software Causes 1. Lack of sophisticated security defenses in small businesses, making them vulnerable to hackers [37126]. 2. Hackers targeting small retailers and restaurants due to weaker security measures compared to big national chains [37126]. 3. Insufficient awareness among small businesses about the potential threat of cybercrime, leading to a false sense of immunity [37126]. 4. Hackers' insatiable appetite for credit card numbers, driving them to target businesses of all sizes [37126]. 5. Increase in requests for insurance coverage against hacking attacks among small businesses [37126].
Impacts 1. The software failure incident at Eataly resulted in the potential theft of customer credit card information, causing disruption to the business, unanticipated costs, expenses, frustration, and concern for customers [37126]. 2. The breach affected only customers of the Flatiron food hall, leading to a toll on the company [37126]. 3. Eataly had to take steps to notify its customers, investigate the incident, hire legal and forensic help, and offer complimentary identity protection services [37126]. 4. The incident led to Eataly cooperating with law enforcement agencies for further investigation [37126].
Preventions 1. Implementing robust cybersecurity measures such as encryption, firewalls, and intrusion detection systems to protect the payment processing system from malicious software attacks [37126]. 2. Conducting regular security audits and vulnerability assessments to identify and address any weaknesses in the point-of-sale systems used for credit card payments [37126]. 3. Providing cybersecurity training to employees to recognize and avoid spear phishing emails that could lead to the installation of intrusive malware programs [37126]. 4. Investing in cybersecurity insurance to mitigate the financial impact of potential hacking incidents and data breaches [37126].
Fixes 1. Implementing more sophisticated security defenses for point-of-sale systems to prevent future breaches [37126]. 2. Conducting regular security audits and updates to ensure the system is protected against new malware attacks [37126]. 3. Providing cybersecurity training for employees to recognize and avoid spear phishing emails that could compromise the system [37126]. 4. Investing in insurance coverage for cyber attacks to mitigate the financial impact of potential breaches [37126].
References 1. Security consultants and law enforcement officials 2. National Small Business Association 3. Threat intelligence analyst with the security firm FireEye 4. Assistant special agent in charge with the Secret Service’s criminal investigative division 5. Harbortouch, a vendor of point-of-sale systems 6. Beazley Group, an underwriter of insurance policies covering hacking incidents 7. Law firm Norton Rose Fulbright 8. Forensic investigator 9. Alex Trautman, a lawyer with Norton Rose Fulbright 10. Eataly's statement [Cite: Article 37126]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: - Eataly experienced a breach in its payment processing system due to malicious software, potentially allowing hackers to steal customer credit card information [37126]. - Eataly took steps to notify customers, investigate the incident, and offer complimentary identity protection services, similar to what retail giants do when they are hacked [37126]. (b) The software failure incident having happened again at multiple_organization: - The article mentions that hackers are targeting both small retailers and big national chains like Target and Home Depot, indicating that similar incidents have occurred at multiple organizations [37126]. - The National Small Business Association reported that half of the small businesses surveyed had been victims of hackers' attacks, with 68% of those companies reporting being victimized at least twice, suggesting a recurring issue across multiple organizations [37126].
Phase (Design/Operation) design, operation (a) The software failure incident at Eataly was primarily due to a design-related issue. Hackers were able to breach the company's systems by unleashing malicious software into its payment processing system, which enabled them to potentially steal customer credit card information [37126]. This breach was a result of vulnerabilities in the point-of-sale systems used by the company, indicating a failure in the design or implementation of the system's security measures. (b) The software failure incident at Eataly also had elements related to operation. The hackers targeted the company's systems through spear phishing email campaigns aimed at getting unsuspecting employees to download intrusive malware programs that compromised the logon credentials for point-of-sale systems [37126]. This aspect of the attack highlights how the operation and use of the system by employees can also contribute to software failure incidents.
Boundary (Internal/External) within_system (a) within_system: The software failure incident at Eataly was caused by hackers who unleashed malicious software into its payment processing system, enabling them to potentially steal customer credit card information [37126]. The breach affected only customers of its Flatiron food hall, indicating that the failure originated from within the system itself.
Nature (Human/Non-human) non-human_actions (a) The software failure incident at Eataly was due to non-human actions, specifically hackers who unleashed malicious software into the payment processing system, enabling them to potentially steal customer credit card information [37126]. (b) The article also mentions that the hackers going after retailers, both large and small, are primarily "Russian-speaking cybercriminals" who are not in the United States. Additionally, the Secret Service found that some criminals test out new disruptive malware programs on smaller businesses before targeting bigger companies [37126].
Dimension (Hardware/Software) hardware, software (a) The software failure incident at Eataly was due to hackers unleashing malicious software into its payment processing system, enabling them to potentially steal customer credit card information [37126]. This incident was a result of a hardware-related failure, as the hackers exploited weak spots in the point-of-sale systems used by the company to process credit card payments. (b) The software failure incident at Harbortouch, a vendor of point-of-sale systems, was due to a malware attack that compromised customer credit card information at some of its merchant locations [37126]. This incident was a result of a software-related failure, as the malware targeted the point-of-sale systems used by the affected merchants.
Objective (Malicious/Non-malicious) malicious (a) The software failure incident at Eataly was malicious in nature. Hackers unleashed malicious software into the payment processing system at Eataly's store in the Flatiron district of Manhattan, enabling them to potentially steal customer credit card information [37126]. The incident was part of a trend where hackers, particularly Russian-speaking cybercriminals, target small retailers and restaurants, exploiting weak spots in their point-of-sale systems to steal credit card numbers [37126]. The hackers' actions were intentional and aimed at obtaining sensitive information for financial gain.
Intent (Poor/Accidental Decisions) accidental_decisions The intent of the software failure incident at Eataly was not explicitly mentioned in the provided article [37126]. However, the incident appears to align more closely with the category of "accidental_decisions" rather than "poor_decisions." The breach at Eataly was caused by hackers who unleashed malicious software into the payment processing system, enabling them to potentially steal customer credit card information. This type of incident is typically associated with external malicious actors exploiting vulnerabilities rather than internal poor decisions made by the organization.
Capability (Incompetence/Accidental) accidental (a) The software failure incident at Eataly was not due to development incompetence but rather due to hackers unleashing malicious software into its payment processing system, enabling them to potentially steal customer credit card information [37126]. (b) The software failure incident at Eataly was accidental in the sense that the breach was caused by hackers targeting the company's systems with malicious intent, rather than any accidental introduction of contributing factors by the development team or organization [37126].
Duration permanent, temporary (a) The software failure incident at Eataly, where hackers breached their payment processing system to potentially steal customer credit card information, can be considered a permanent failure. The breach affected customers for several months of the year [37126]. Additionally, the disruption to Eataly's business, unanticipated costs, and expenses, as well as the frustration and concern caused to customers, were significant and ongoing [37126]. (b) On the other hand, the incident at Harbortouch, a vendor of point-of-sale systems, can be seen as a temporary failure. The malware attack targeting a small percentage of individual merchant locations was eliminated almost two months ago [37126]. This suggests that the specific circumstances leading to the failure were addressed and resolved within a relatively short period.
Behaviour crash, value, other (a) crash: The incident at Eataly involved a breach where hackers unleashed malicious software into its payment processing system, potentially allowing them to steal customer credit card information. This can be considered a crash as the system lost its state and failed to perform its intended function of securely processing payments, leading to a disruption in business operations and customer trust [37126]. (b) omission: The article does not specifically mention any instance of omission where the system failed to perform its intended functions at an instance(s) [37126]. (c) timing: The incident does not involve a timing failure where the system performed its intended functions correctly but too late or too early [37126]. (d) value: The software failure incident at Eataly can be categorized under a value failure as the hackers were able to compromise the system and potentially steal customer credit card information, indicating that the system was performing its intended function of processing payments incorrectly by allowing unauthorized access to sensitive data [37126]. (e) byzantine: The article does not describe the software failure incident at Eataly as exhibiting a byzantine behavior with inconsistent responses and interactions [37126]. (f) other: The other behavior exhibited in this software failure incident could be categorized as a security breach. The hackers were able to infiltrate the payment processing system, indicating a failure in the system's security measures to prevent unauthorized access and protect sensitive customer data [37126].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident at Eataly involved hackers breaching the company's payment processing system, potentially enabling them to steal customer credit card information [37126]. This breach affected customers of Eataly's Flatiron food hall, leading to the potential theft of credit card information. The company mentioned significant disruption to their business, unanticipated costs and expenses, as well as frustration and concern caused to their customers [37126]. Additionally, the incident led Eataly to take steps such as notifying customers, hiring a law firm and forensic investigator, and offering complimentary identity protection services to affected customers [37126].
Domain sales, finance (a) The failed system in the incident was related to the sales industry, specifically affecting the payment processing system at Eataly's store in the Flatiron district of Manhattan. Hackers unleashed malicious software into the payment processing system, potentially enabling them to steal customer credit card information [37126]. (h) The incident also pertains to the finance industry as it involves the manipulation and movement of money for profit. The hackers targeted the credit card information of customers, indicating a financial motive behind the breach [37126].

Sources

Back to List