Cybercrime During COVID-19: Chicken Express Breach Affects 56 Locations

June 30, 2020

 

Key Findings

  • Gemini has discovered approximately 165,000 compromised Card Present (CP) payment cards offered for sale on the dark web from a breach of the Southern fast-food restaurant Chicken Express. It affected at least 56 locations.
  • While the breach itself occurred from May 2019 to March 2020, the records first appeared on the dark web between August 2, 2019 until the present.
  • Cybercriminal demand for CP cards has dropped off sharply since mid-March due to the COVID-19 pandemic and related quarantine restrictions. However, the recent easing of restrictions has translated to an increase in CP card demand across the dark web overall.
  • Gemini assesses with a high degree of confidence that this spike in CP demand will likely result in higher sales of stolen Chicken Express payment card data on the dark web.

Background

Gemini has discovered a payment card breach at Chicken Express, a Southern fast-food restaurant with locations in Texas, Oklahoma, Arkansas, and Louisiana. Three of these states were affected by this breach, while the three Louisiana branches have not had confirmed breaches. Approximately 165,000 compromised Card Present (CP) payment cards were stolen from this restaurant and released on the dark web from August 2, 2019 until the present. The breach itself occurred from May 2019 to March 2020 with cards continually extracted and offered for sale on the dark web during this timeframe. Analysis indicated that 56 or more restaurant locations were affected.

Chicken Express has had its customers’ cards exposed once before, in 2010. However, the 2010 incident involved an insider physically present to steal cards. An employee at the Tyler, Texas location swiped cards both at the cash register and at her own skimmer, then used the cards to purchase over $1 million in gift cards with her accomplices. The recent breach from 2019 to 2020 appears to have been a remote hack at a much larger scale, affecting dozens of locations across four states. Gemini has provided its findings to federal law enforcement, which is currently conducting an investigation.

In-Depth Analysis

Chicken Express Exposure

The 165,000 compromised Chicken Express cards included branch locations in Texas, Oklahoma, and Arkansas (although Louisiana’s three branches have not had confirmed breaches), with the preponderance of breaches occurring in Texas. This is proportional to the geographical distribution of Chicken Express locations. Analysts have identified each of the 56 branches that appear to have been compromised and marked their respective addresses in the map and table below.

Distribution of compromised and unaffected Chicken Express locations.
Image 1: The chicken icons represent Chicken Express locations, with those highlighted in orange depicting the compromised locations. 

The 56 Chicken Express locations affected by the breach are listed in the table below.

Address City State ZIP Code
3014 Cimarron Blvd CORPUS CHRISTI Texas 78414
1709 State Hwy 46 South NEW BRAUNFELS Texas 78130
691 South Walnut Avenue NEW BRAUNFELS Texas 78130
760 Loop 337 NEW BRAUNFELS Texas 78130
734 S Colorado St LOCKHART Texas 78644
1256 Hwy 123 SAN MARCOS Texas 78666
21101 TX-46 SPRING BRANCH Texas 78070
5493 Kyle Center Dr KYLE Texas 78640
4760 College St BEAUMONT Texas 77713
2021 N Loop 336 West CONROE Texas 77304
1510 S Water St BURNET Texas 78611
106W 2nd Street HEARNE Texas 77859
1614 North University Dr NACOGDOCHES Texas 75961
101 Hwy 79 South HENDERSON Texas 75654
2000 E. FM 700 BIG SPRING Texas 79720
1701 West Ennis Ave ENNIS Texas 75119
1666 W Henderson St CLEBURNE Texas 76033
828 North Main St CLEBURNE Texas 76033
209 North Henderson Blvd KILGORE Texas 75662
795 North Hwy 77 WAXAHACHIE Texas 75165
2831 Hwy 77 WAXAHACHIE Texas 75165
2102 Judson Rd LONGVIEW Texas 75605
2702 Gilmer Rd LONGVIEW Texas 75605
3130 E Broad Street MANSFIELD Texas 76063
1151 U.S. 287 Frontage Rd #102 MANSFIELD Texas 76063
124 McPherson Rd FORT WORTH Texas 76140
6300 U.S. 287 Frontage Rd ARLINGTON Texas 76017
5877 South Cooper St ARLINGTON Texas 76017
6555 Wichita St FORT WORTH Texas 76140
4451 South Collins ARLINGTON Texas 76063
4308 College Ave SNYDER Texas 79549
1606 South Cooper ARLINGTON Texas 76013
433 US Hwy 271 South GILMER Texas 75644
609 W. Airport Freeway IRVING Texas 75062
7335 Boat Club Rd FORT WORTH Texas 76179
1001 North Saginaw Blvd SAGINAW Texas 76179
8657 North Beach St KELLER Texas 76248
791 Keller Pkwy KELLER Texas 76248
2550 Hickory Creek Rd DENTON Texas 76210
124 Hwy 59 Loop ATLANTA Texas 75551
3801 FM2181 CORINTH Texas 76210
1903 S Jefferson Ave MOUNT PLEASANT Texas 75455
12055 Custer Rd FRISCO Texas 75035
1930 N. Lake Forest Dr. MCKINNEY Texas 75071
2106 North 2nd Ave CANYON Texas 79015
7104 Bell Street AMARILLO Texas 79109
2299 Dave Ward Drive CONWAY Arkansas 72034
7301 I-40 West AMARILLO Texas 79106
3514 I-40 East AMARILLO Texas 79103
200 Tascosa Road AMARILLO Texas 79106
15040 N Pennsylvania Ave OKLAHOMA CITY Oklahoma 73134
1000 W Danforth EDMOND Oklahoma 73003
1855 Landers Dr BENTON Arkansas 72015
625 SW 19th Street MOORE Oklahoma 73160
5540 SE 29th Street DEL CITY Oklahoma 73115
12900 NW 10th Street YUKON Oklahoma 73099

Chicken Express Demand

The demand for CP data across the dark web has dropped off sharply since mid-March. The most significant reason for this decline is the COVID-19 pandemic. State governments across the United States imposed quarantine restrictions shortly after the pandemic reached critical levels of infection in mid-March. This severely limited the number of in-person transactions nationwide, which are the primary means of cashing out stolen CP cards. Because fraudulent payments with these compromised cards are often most effective in locations close to the point of compromise, travel and business restrictions undercut much of the criminal utility for these cards, which accordingly devastated cybercriminal demand. This effect occurred worldwide, but since the United States is by far the leading source of CP cards, and Chicken Express is a US-based restaurant, the effect was particularly pronounced related to this breach.

Conclusion

The Chicken Express breach is one of the largest of 2020. Approximately  165,000 CP cards were stolen from at least 56 compromised locations and posted for sale on the dark web. This also comes within six months of the massive 850-store breach of the convenience store and gas station chain Wawa, which Gemini has previously covered. While the set of compromised Chicken Express cards appears to be almost entirely uploaded and cybercriminal demand for CP cards has suffered due to COVID-19, the recent easing of restrictions and business reopenings has translated to an increase in CP card demand across the dark web overall. Gemini assesses with a high degree of confidence that this spike in CP demand will likely result in higher sales of stolen Chicken Express payment card data. 

Gemini Advisory Mission Statement

Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.

Cybercriminal hackers breached the Chicken Express restaurant and stole 165,000 compromised Card Present payment cards. Demand was dampened by the COVID-19 pandemic, but it will likely rebound as the quarantine restrictions lessen.

%d bloggers like this: