- Gemini has discovered approximately 165,000 compromised Card Present (CP) payment cards offered for sale on the dark web from a breach of the Southern fast-food restaurant Chicken Express. It affected at least 56 locations.
- While the breach itself occurred from May 2019 to March 2020, the records first appeared on the dark web between August 2, 2019 until the present.
- Cybercriminal demand for CP cards has dropped off sharply since mid-March due to the COVID-19 pandemic and related quarantine restrictions. However, the recent easing of restrictions has translated to an increase in CP card demand across the dark web overall.
- Gemini assesses with a high degree of confidence that this spike in CP demand will likely result in higher sales of stolen Chicken Express payment card data on the dark web.
Gemini has discovered a payment card breach at Chicken Express, a Southern fast-food restaurant with locations in Texas, Oklahoma, Arkansas, and Louisiana. Three of these states were affected by this breach, while the three Louisiana branches have not had confirmed breaches. Approximately 165,000 compromised Card Present (CP) payment cards were stolen from this restaurant and released on the dark web from August 2, 2019 until the present. The breach itself occurred from May 2019 to March 2020 with cards continually extracted and offered for sale on the dark web during this timeframe. Analysis indicated that 56 or more restaurant locations were affected.
Chicken Express has had its customers’ cards exposed once before, in 2010. However, the 2010 incident involved an insider physically present to steal cards. An employee at the Tyler, Texas location swiped cards both at the cash register and at her own skimmer, then used the cards to purchase over $1 million in gift cards with her accomplices. The recent breach from 2019 to 2020 appears to have been a remote hack at a much larger scale, affecting dozens of locations across four states. Gemini has provided its findings to federal law enforcement, which is currently conducting an investigation.
Chicken Express Exposure
The 165,000 compromised Chicken Express cards included branch locations in Texas, Oklahoma, and Arkansas (although Louisiana’s three branches have not had confirmed breaches), with the preponderance of breaches occurring in Texas. This is proportional to the geographical distribution of Chicken Express locations. Analysts have identified each of the 56 branches that appear to have been compromised and marked their respective addresses in the map and table below.
The 56 Chicken Express locations affected by the breach are listed in the table below.
|3014 Cimarron Blvd||CORPUS CHRISTI||Texas||78414|
|1709 State Hwy 46 South||NEW BRAUNFELS||Texas||78130|
|691 South Walnut Avenue||NEW BRAUNFELS||Texas||78130|
|760 Loop 337||NEW BRAUNFELS||Texas||78130|
|734 S Colorado St||LOCKHART||Texas||78644|
|1256 Hwy 123||SAN MARCOS||Texas||78666|
|21101 TX-46||SPRING BRANCH||Texas||78070|
|5493 Kyle Center Dr||KYLE||Texas||78640|
|4760 College St||BEAUMONT||Texas||77713|
|2021 N Loop 336 West||CONROE||Texas||77304|
|1510 S Water St||BURNET||Texas||78611|
|106W 2nd Street||HEARNE||Texas||77859|
|1614 North University Dr||NACOGDOCHES||Texas||75961|
|101 Hwy 79 South||HENDERSON||Texas||75654|
|2000 E. FM 700||BIG SPRING||Texas||79720|
|1701 West Ennis Ave||ENNIS||Texas||75119|
|1666 W Henderson St||CLEBURNE||Texas||76033|
|828 North Main St||CLEBURNE||Texas||76033|
|209 North Henderson Blvd||KILGORE||Texas||75662|
|795 North Hwy 77||WAXAHACHIE||Texas||75165|
|2831 Hwy 77||WAXAHACHIE||Texas||75165|
|2102 Judson Rd||LONGVIEW||Texas||75605|
|2702 Gilmer Rd||LONGVIEW||Texas||75605|
|3130 E Broad Street||MANSFIELD||Texas||76063|
|1151 U.S. 287 Frontage Rd #102||MANSFIELD||Texas||76063|
|124 McPherson Rd||FORT WORTH||Texas||76140|
|6300 U.S. 287 Frontage Rd||ARLINGTON||Texas||76017|
|5877 South Cooper St||ARLINGTON||Texas||76017|
|6555 Wichita St||FORT WORTH||Texas||76140|
|4451 South Collins||ARLINGTON||Texas||76063|
|4308 College Ave||SNYDER||Texas||79549|
|1606 South Cooper||ARLINGTON||Texas||76013|
|433 US Hwy 271 South||GILMER||Texas||75644|
|609 W. Airport Freeway||IRVING||Texas||75062|
|7335 Boat Club Rd||FORT WORTH||Texas||76179|
|1001 North Saginaw Blvd||SAGINAW||Texas||76179|
|8657 North Beach St||KELLER||Texas||76248|
|791 Keller Pkwy||KELLER||Texas||76248|
|2550 Hickory Creek Rd||DENTON||Texas||76210|
|124 Hwy 59 Loop||ATLANTA||Texas||75551|
|1903 S Jefferson Ave||MOUNT PLEASANT||Texas||75455|
|12055 Custer Rd||FRISCO||Texas||75035|
|1930 N. Lake Forest Dr.||MCKINNEY||Texas||75071|
|2106 North 2nd Ave||CANYON||Texas||79015|
|7104 Bell Street||AMARILLO||Texas||79109|
|2299 Dave Ward Drive||CONWAY||Arkansas||72034|
|7301 I-40 West||AMARILLO||Texas||79106|
|3514 I-40 East||AMARILLO||Texas||79103|
|200 Tascosa Road||AMARILLO||Texas||79106|
|15040 N Pennsylvania Ave||OKLAHOMA CITY||Oklahoma||73134|
|1000 W Danforth||EDMOND||Oklahoma||73003|
|1855 Landers Dr||BENTON||Arkansas||72015|
|625 SW 19th Street||MOORE||Oklahoma||73160|
|5540 SE 29th Street||DEL CITY||Oklahoma||73115|
|12900 NW 10th Street||YUKON||Oklahoma||73099|
Chicken Express Demand
The demand for CP data across the dark web has dropped off sharply since mid-March. The most significant reason for this decline is the COVID-19 pandemic. State governments across the United States imposed quarantine restrictions shortly after the pandemic reached critical levels of infection in mid-March. This severely limited the number of in-person transactions nationwide, which are the primary means of cashing out stolen CP cards. Because fraudulent payments with these compromised cards are often most effective in locations close to the point of compromise, travel and business restrictions undercut much of the criminal utility for these cards, which accordingly devastated cybercriminal demand. This effect occurred worldwide, but since the United States is by far the leading source of CP cards, and Chicken Express is a US-based restaurant, the effect was particularly pronounced related to this breach.
The Chicken Express breach is one of the largest of 2020. Approximately 165,000 CP cards were stolen from at least 56 compromised locations and posted for sale on the dark web. This also comes within six months of the massive 850-store breach of the convenience store and gas station chain Wawa, which Gemini has previously covered. While the set of compromised Chicken Express cards appears to be almost entirely uploaded and cybercriminal demand for CP cards has suffered due to COVID-19, the recent easing of restrictions and business reopenings has translated to an increase in CP card demand across the dark web overall. Gemini assesses with a high degree of confidence that this spike in CP demand will likely result in higher sales of stolen Chicken Express payment card data.
Gemini Advisory Mission Statement
Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.