Small-Biz Breaches Stem from Hacks of PC-Based Point of Sale

A café chain in northern New England is telling its customers that hackers may have breached the company’s payments system. The Works Bakery Café is a small target but its experience is indicative of a bigger trend in data security.

The breach represents a cyberattack rapidly becoming the most common facing smaller merchants, says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.

“In talking to financial institutions and small merchants, I am hearing a lot more about a malware download on the PC connected to the swipe device,” Conroy says.

In many cases, the PCs are not infected by only one malicious program, Conroy says. “Sometimes there are two or three malwares on a PC-based system, so apparently the merchant has clicked on two or three websites that download the malware,” she adds.

Most likely, hackers actively targeted The Works Bakery Café because they knew what kind of point-of-sale system the company operates, Conroy says. “Or, it could have been a drive-by download that goes after any vulnerable POS system,” she adds.

The café chain has “no definitive reports” from investigators as to how many cards were potentially exposed during the breach or exactly how the hackers entered the system, says Richard French, founder of The Works Bakery Café chain.

“I am eager to learn more about it and get advice from security experts so as to avoid it ever happening again,” French says.

French released a statement last week, informing café customers that hackers may have infected the company’s point-of-sale computers with malicious software designed to obtain card details as they are swiped through a terminal reader. French pinpoints the breach as possibly taking place at any of the Works Bakery Café locations between mid-January and Feb. 1. French encouraged customers who made purchases in that time frame to closely monitor accounts and report a potential compromise to their banks.

French assures customers that The Works does not store payment data on the company payment systems, and had state-of-the-art cyber security in place when the breach took place. The Works has installed even more security measures since learning of the breach, he adds.

The Brattleboro and Springfield, Vt., Savings and Loan website also informs its customers it has documented a sharp increase in fraudulent debit card transactions, leading it to determine that the trend is a result of the potential breach at The Works in New Hampshire, Vermont and Maine.

The Works has café locations in Portland, Me., Brattleboro and Manchester, Vt., and Keene, Portsmouth, Durham and Concord, N.H.