Caribou Coffee, Bruegger’s Bagels Bitten by Months-Long Breach

Hackers targeted hundreds of bagel stores across the U.S. to devour customers’ credit card info.

Hundreds of Caribou Coffee and Bruegger’s Bagels stores have been targeted in a point-of-sale (POS) system data breach that attempted to steal customers’ payment cards.

Hackers gained unauthorized access to the company’s (POS) systems, exposing some customers’ data – including name and credit-card information, including card number, expiration date and card security code.

Up to 254 Caribou Coffee stores and 157 Bruegger’s Bagels locations were listed as impacted according to  a data security notice from parent company Coffee and Bagels.

Coffee and Bagels said that it first detected unusual activity on its network on Nov. 28. Store goers who visited company owned Caribou locations between Aug. 28 and Dec. 3 of this year could be potentially impacted.

“Upon identifying this issue, we began working with Mandiant, a leading cybersecurity firm, to understand the scope of the incident and determine whether there had been any unauthorized access,” said John Butcher, president of Caribou Coffee, in the security release. “On November 30, 2018, Mandiant reported that it detected unauthorized access to our point of sale systems, exposing some of our customers’ data. Mandiant worked with us to contain the breach and ensure that the unauthorized access was stopped immediately. At this time, we are confident that the breach has been contained.”

The breach has now been contained, it said.

Minneapolis-based Coffee and Bagels owns several popular bagel brands, including Manhattan Bagel, Einstein Bros. Bagels and Noah’s NY Bagels. However, the company reported that only Caribou Coffee and Bruegger’s Bagels were impacted.

The exact impacted locations are not known, but Caribou Coffee encompasses 311 company-owned stores and 139 domestic license locations in 18 states; and Bruegger’s Bagels contains 140 company-owned stores and 83 franchises. Given the time frame of the breach, a significant number of consumers could be impacted.

Coffee and Bagels did not immediately respond to a request for comment from Threatpost with further questions about the cause of the breach and number of impacted customers.

POS malware is a growing menace for retailers in the hospitality industry. In March, malware was discovered on POS systems at more than 160 Applebee’s restaurants, exposing credit-card information from unknowing diners. And a year ago, fashion retailer Forever 21 revealed that malware had sat on certain POS terminals for almost eight months in its stores, allowing hackers steal consumer credit card data from the company.

“Caribou Coffee and Brueggers owned by the same parent company were targets because once hackers could figure out a way in through the POS system, they could hit many targets with just one shot,” Lisa Baergen, VP of Marketing for NuData Security, a Mastercard company, told Threatpost. “It also highlights that no one is immune, not even your local coffee shop. To avoid getting hit by any type of malware, it is essential for all types of companies to continuously monitor PoS devices and distribute patches regularly.”

Suggested articles

Discussion

  • EJ on

    The specific locations were announced by Bruegger's. See appendix A of their notification: https://assets.coffeeandbagels-static.com/coffeeandbagels/Data-Security-Notice.pdf
  • EJ on

    A list of affected Bruegger's Bagels location is available from the company and can be found with a Google search.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.