Cybercrime During COVID-19: Chicken Express Breach Affects 56 Locations

June 30, 2020

Key Findings

  • Gemini has discovered approximately 165,000 compromised Card Present (CP) payment cards offered for sale on the dark web from a breach of the Southern fast-food restaurant Chicken Express. It affected at least 56 locations.
  • While the breach itself occurred from May 2019 to March 2020, the records first appeared on the dark web between August 2, 2019 until the present.
  • Cybercriminal demand for CP cards has dropped off sharply since mid-March due to the COVID-19 pandemic and related quarantine restrictions. However, the recent easing of restrictions has translated to an increase in CP card demand across the dark web overall.
  • Gemini assesses with a high degree of confidence that this spike in CP demand will likely result in higher sales of stolen Chicken Express payment card data on the dark web.

Background

Gemini has discovered a payment card breach at Chicken Express, a Southern fast-food restaurant with locations in Texas, Oklahoma, Arkansas, and Louisiana. Three of these states were affected by this breach, while the three Louisiana branches have not had confirmed breaches. Approximately 165,000 compromised Card Present (CP) payment cards were stolen from this restaurant and released on the dark web from August 2, 2019 until the present. The breach itself occurred from May 2019 to March 2020 with cards continually extracted and offered for sale on the dark web during this timeframe. Analysis indicated that 56 or more restaurant locations were affected.

Chicken Express has had its customers’ cards exposed once before, in 2010. However, the 2010 incident involved an insider physically present to steal cards. An employee at the Tyler, Texas location swiped cards both at the cash register and at her own skimmer, then used the cards to purchase over $1 million in gift cards with her accomplices. The recent breach from 2019 to 2020 appears to have been a remote hack at a much larger scale, affecting dozens of locations across four states. Gemini has provided its findings to federal law enforcement, which is currently conducting an investigation.

In-Depth Analysis

Chicken Express Exposure

The 165,000 compromised Chicken Express cards included branch locations in Texas, Oklahoma, and Arkansas (although Louisiana’s three branches have not had confirmed breaches), with the preponderance of breaches occurring in Texas. This is proportional to the geographical distribution of Chicken Express locations. Analysts have identified each of the 56 branches that appear to have been compromised and marked their respective addresses in the map and table below.

Distribution of compromised and unaffected Chicken Express locations.
Image 1: The chicken icons represent Chicken Express locations, with those highlighted in orange depicting the compromised locations. 

The 56 Chicken Express locations affected by the breach are listed in the table below.

AddressCityStateZIP Code
3014 Cimarron BlvdCORPUS CHRISTITexas78414
1709 State Hwy 46 SouthNEW BRAUNFELSTexas78130
691 South Walnut AvenueNEW BRAUNFELSTexas78130
760 Loop 337NEW BRAUNFELSTexas78130
734 S Colorado StLOCKHARTTexas78644
1256 Hwy 123SAN MARCOSTexas78666
21101 TX-46SPRING BRANCHTexas78070
5493 Kyle Center DrKYLETexas78640
4760 College StBEAUMONTTexas77713
2021 N Loop 336 WestCONROETexas77304
1510 S Water StBURNETTexas78611
106W 2nd StreetHEARNETexas77859
1614 North University DrNACOGDOCHESTexas75961
101 Hwy 79 SouthHENDERSONTexas75654
2000 E. FM 700BIG SPRINGTexas79720
1701 West Ennis AveENNISTexas75119
1666 W Henderson StCLEBURNETexas76033
828 North Main StCLEBURNETexas76033
209 North Henderson BlvdKILGORETexas75662
795 North Hwy 77WAXAHACHIETexas75165
2831 Hwy 77WAXAHACHIETexas75165
2102 Judson RdLONGVIEWTexas75605
2702 Gilmer Rd
LONGVIEWTexas75605
3130 E Broad StreetMANSFIELDTexas76063
1151 U.S. 287 Frontage Rd #102MANSFIELDTexas76063
124 McPherson RdFORT WORTHTexas76140
6300 U.S. 287 Frontage RdARLINGTONTexas76017
5877 South Cooper StARLINGTONTexas76017
6555 Wichita StFORT WORTHTexas76140
4451 South CollinsARLINGTONTexas76063
4308 College AveSNYDERTexas79549
1606 South CooperARLINGTONTexas76013
433 US Hwy 271 SouthGILMERTexas75644
609 W. Airport FreewayIRVINGTexas75062
7335 Boat Club RdFORT WORTHTexas76179
1001 North Saginaw BlvdSAGINAWTexas76179
8657 North Beach StKELLERTexas76248
791 Keller PkwyKELLERTexas76248
2550 Hickory Creek RdDENTONTexas76210
124 Hwy 59 LoopATLANTATexas75551
3801 FM2181CORINTHTexas76210
1903 S Jefferson AveMOUNT PLEASANTTexas75455
12055 Custer RdFRISCOTexas75035
1930 N. Lake Forest Dr.MCKINNEYTexas75071
2106 North 2nd AveCANYONTexas79015
7104 Bell StreetAMARILLOTexas79109
2299 Dave Ward DriveCONWAYArkansas72034
7301 I-40 WestAMARILLOTexas79106
3514 I-40 EastAMARILLOTexas79103
200 Tascosa RoadAMARILLOTexas79106
15040 N Pennsylvania AveOKLAHOMA CITYOklahoma73134
1000 W DanforthEDMONDOklahoma73003
1855 Landers DrBENTONArkansas72015
625 SW 19th StreetMOOREOklahoma73160
5540 SE 29th StreetDEL CITYOklahoma73115
12900 NW 10th StreetYUKONOklahoma73099

Chicken Express Demand

The demand for CP data across the dark web has dropped off sharply since mid-March. The most significant reason for this decline is the COVID-19 pandemic. State governments across the United States imposed quarantine restrictions shortly after the pandemic reached critical levels of infection in mid-March. This severely limited the number of in-person transactions nationwide, which are the primary means of cashing out stolen CP cards. Because fraudulent payments with these compromised cards are often most effective in locations close to the point of compromise, travel and business restrictions undercut much of the criminal utility for these cards, which accordingly devastated cybercriminal demand. This effect occurred worldwide, but since the United States is by far the leading source of CP cards, and Chicken Express is a US-based restaurant, the effect was particularly pronounced related to this breach.

Conclusion

The Chicken Express breach is one of the largest of 2020. Approximately  165,000 CP cards were stolen from at least 56 compromised locations and posted for sale on the dark web. This also comes within six months of the massive 850-store breach of the convenience store and gas station chain Wawa, which Gemini has previously covered. While the set of compromised Chicken Express cards appears to be almost entirely uploaded and cybercriminal demand for CP cards has suffered due to COVID-19, the recent easing of restrictions and business reopenings has translated to an increase in CP card demand across the dark web overall. Gemini assesses with a high degree of confidence that this spike in CP demand will likely result in higher sales of stolen Chicken Express payment card data. 

Gemini Advisory Mission Statement

Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.

Cybercriminal hackers breached the Chicken Express restaurant and stole 165,000 compromised Card Present payment cards. Demand was dampened by the COVID-19 pandemic, but it will likely rebound as the quarantine restrictions lessen.

%d bloggers like this: