The breach has impacted more than 135 locations and first started in 2015. It wasn't until early March 2016 when several restaurant locations told corporate executives that point-of-sale systems were not working properly. One of CiCi's POS vendors found malware on its terminals and CiCi's started remediating the breach location by location.
Security blogger Brian Krebs, who runs website Krebs On Security, broke the news about the breach back in June, but CiCi's just admitted the issue yesterday.
Krebs said he was tipped off by sources at a few financial institutions that were reporting suspicious activity on customer cards last used at CiCi's Pizza locations.
Before CiCi's issued a statement, Krebs confirmed the hack with one of CiCi's third-party point-of-sale providers, Datapoint POS. The company told Krebs that the cybercrooks used social engineering to install the malware on the POS systems. The hackers posed as technical support specialists from CiCi's point-of-sale provider and had the employees install the malware. Once installed, the hackers remotely captured each credit card or debit card swiped at every infected terminal in real time, which allowed the criminals to collect credit card data as customers paid for their meals.
The hackers made a point-of-sale botnet that "enslaved dozens of hacked payment terminals" in over 135 CiCi's locations and other businesses across the country, Krebs says.
The botnet snatched at least 1.2 million unique debit and credit card numbers, half of which where swiped from CiCi's and the others were from establishments around the country ranging from a movie theater in Connecticut, a restaurant in Washington, D.C., and even the famous Lou Malnatis Pizza in Chicago.