Capitol Hill credit card fraud wave tied to Broadway Grill
The investigation into more than 100 reported cases of credit card fraud across Capitol Hill has identified a Broadway restaurant as one “point of interest.” Like the victims who have had their bank and credit accounts hit for fraudulent charges in the thousands of dollars, Capitol Hill’s Broadway Grill is also a victim in this wave as personal and business accounts related to the restaurant have been compromised along with accounts of a not-yet-known number of customers who ate and drank at the popular eatery.
We received the following statement from one of the partners behind the Broadway Grill, Matthew Walsh:
We take this issue very seriously and are working with both the Seattle Police Department as well as the Secret Service to find the people who have done this to everyone and have them stopped.
We have gone above and beyond to make sure that our network is completely secure and that this sort of thing can’t happen to any of our customers, there has been no decline in credit/debit card use because of our actions to ensure safety. Not only were our personal accounts compromised but our business savings and operating accounts have also been compromised.
We are a tiny little company trying to manage this huge monster of a restaurant and for someone to swoop in and try to completely wipe our accounts is a really scary thing. I am seriously worried about the future of our business without the support of our community. We have been growing by leaps and bounds since I took over in June, not only in our new menu and food quality but also in our day to day operation. It is my hope that we have touched enough lives over the years to be able to count on our beloved customers for their support and continued patronage in this difficult time.
We do not know yet if Broadway Grill represents the only breached business on the Hill or if investigators have identified others in the area. On Monday, CHS reported that the Secret Service’s Electronic Crimes Task Force had identified and “reduced” the threat from what the lead agent called a “point of interest” in the Capitol Hill area.
We have checked with Kroger, the parent company for QFC, about any involvement in the investigation. A QFC spokesperson told CHS he was not aware of any contact between investigators and either of the Broadway stores. “To my knowledge, we have not been contacted by police. When we are, we will work with them,” the spokesperson said earlier this week.
Meanwhile, the situation is widespread enough and people are so wary that large area institutions are dealing with relatively sizable numbers of victims. We talked to Seattle University about a growing number of Seattle University students and employees who have experienced problems with financial accounts in recent days. But Mike Sletten director of public safety for the campus, told us that the cases he is aware of all appear to be part of the Capitol Hill wave. “They all reflect that Capitol Hill theme,” Sletten said.
Investigators will not say how the account information was breached so it is not yet clear what role Broadway Grill’s point-of-sale technology played in the crimes. We contacted the Grill’s POS service provider, Action Systems, Inc. in Silver Springs, Maryland. While they confirmed Broadway Grill’s involvement in the investigation via phone, their statement sent to us in e-mail does not specify if ASI has been contacted by investigators. Here’s the brief sent to us by ASI director of sales and marketing Craig Bednarovsky:
Since the release of Restaurant Manager™ v15.1 in 2006, all software designed by ASI has been certified as fully compliant with the Data Security Standards (DSS) of the Payment Card Industry (PCI) and has been listed on the official website of the payment card industry:
Restaurants using Restaurant Manager v15.0 or earlier have been notified repeatedly that they must upgrade to a more current version of the software before they will be able to operate as a PCI Compliant business.
It is the restaurant’s responsibility to act on these repeated warnings.
It is also important to note there are many requirements for PCI compliance that do not relate at all to point of sale software. Restaurants need to adhere to all PCI requirements in order to ensure the protection of sensitive consumer information.
We’ve asked ASI for clarification about their involvement in the investigation and for information on any other Seattle-area businesses they provide services for.
While her company is not the provider for the Broadway Grill, Jeanie Walker, representative for Seattle-based POS provider Dinerware, tells CHS that breaches like this can happen from the technology side of the process or from the restaurant’s own practices involving payment systems. Walker also said her company has not been contacted by investigators in the Capitol Hill case.
“There are 12 steps to being compliant,” Walker said. “Five are in software, seven are on restaurant side.”
Walker said that holes on the restaurant side can range from failing to make the wi-fi isolated and secure on a separate network from the point-of-sale system to storing credit card information incorrectly.
We reported on new ownership for the longtime Broadway food and drink provider this June. Matthew Walsh, a onetime Grill server, and CJ Saretto took over the 20-year-old restaurant this summer.
The software side can definitely break down, too. In this article about the Capitol Hill “fraud spree” on a banking security industry site, one security expert says Seattle’s wave has the earmarks of a software hack:
One security expert says fraudster gangs are very often based in a certain city and target merchants in their own backyards, usually in collusion with an employee who skims the cards.
“What’s unusual here is that multiple merchants were compromised, meaning that collusion is unlikely, and, therefore, skimming is also unlikely,” says Tom Wills, a senior fraud analyst at Javelin Research. While details are still not known, Wills speculates that a local Seattle-based gang may have performed a “Gonzalez-style” point-of-sale hack, referring to Albert Gonzalez, the mastermind behind the Heartland Payment Systems breach (among others).
Branden Williams, director of the Security Consulting Practice at RSA, the security division of EMC, says it appears this fraud is “indicative of the smash-and-grab-type mentality,” during which the objective is to net the largest amount of money in the quickest timeframe, “and get out before you leave too many clues about who you are.”
While the number of reports made around Capitol Hill seems to be massive in scale, there are examples of similar-sized waves being tied to a single restaurant. In September, investigators determined that hundreds of credit card fraud cases were tied to the computer system at one Roseville, California restaurant:
Hundreds of local cases in which thieves have collected credit-card numbers and used them to fraudulently make purchases have been traced to customers who frequented one Roseville restaurant, police said today.
Roseville police said that hundreds of credit-card numbers were compromised at Paul Martin’s American Bistro.
Detectives believe that the problem is isolated to computer systems at the restaurant’s site, 1455 Eureka Road, and “did not involve the external financial services network or any third-party data processing service,” according to a police news release.
The cyber criminals who perpetrated the fraudulent credit-card activity are not known and could be operating anywhere in the world, police said.
The California restaurant remains open after bringing in a security consultant to make sure their business was operating safely.
For now, Broadway Grill stands by itself as the only Capitol Hill business we have connected to the credit card problems. Is it alone on the Hill and in the city in being hit with this kind of threat? Unlikely. Given the mechanics of these crimes, there are other Broadway Grills out there in Seattle and beyond right now. Capitol Hill, as usual, leads the way. It seem likely others won’t be far behind.