Anyone who’s visited one of two dozen zoos across America over the last several months may want to check their credit and debit card statements. A third party operator of concessions and retail services at zoos from Hawaii to Florida acknowledged this week that it was hit by a data breach earlier this year.
Malware was found embedded in the systems of Service Systems Associates, a Denver based firm that supplies cultural attractions such as zoos and museums with payment card processing systems.
KrebsonSecurity.com, citing “several banking industry sources,” was tipped off about a pattern of credit card fraud at the zoos on Thursday, following a CBS Detroit article Wednesday morning.
According to SSA, attackers commandeered point-of-sale systems that belonged to the zoos’ gift shops for nearly three months, from March to June.
“The violation occurred in the point of sale systems located in the gift shops of several of our clients,” the company said in a statement. “This means that if a guest used a credit or debit card in the gift shop at one of our partner facilities between March 23 and June 25, 2015, the information on that card may have been compromised.”
According to Service Systems Associates that information may contain everything from customers’ card numbers, and names, to other data, including the three-digit CVV security codes that appear on the back of most payment cards.
Zoo visitors who used their card at food, ticket and membership kiosks are reportedly not affected by the breach as those are run on separate systems.
Per protocol, KrebsonSecurity.com said the SSA is looking into the incident along with the help of law enforcement officials and a third-party investigator Sikich.
It’s unclear exactly which locations have been affected by the breach but SSA does have systems in place at roughly two dozen zoos across the country, including locations in San Francisco, Miami, Baltimore, Dallas, and Pittsburgh. So far only officials at the Detroit Zoo and the Houston Zoo have publicly confirmed that their systems were compromised.