The Iowa Attorney General's Office disclosed a data breach affecting FOCUS Brands Inc., specifically its subsidiaries McAlister's Corporation, Moe's Stores LLC, and Schlotzsky's Stores LLC. The incident involved unauthorized malicious code deployed on point-of-sale (POS) systems at both corporate and franchised restaurant locations. The breach occurred between April 11, 2019, and July 22, 2019, during which payment card data including card numbers, expiration dates, and potentially CVV codes was compromised. While the exact number of affected individuals remains unknown, the exposure targeted customers who dined at the impacted restaurants during the specified period. The breach did not involve internal employee data or broader corporate systems but focused solely on financial transaction data linked to customer payments. The company took remedial actions, including removing the malicious code and enhancing security protocols, though the delay in detection (nearly three months) raised concerns about vulnerability management. No evidence suggested the stolen data was used for fraud at the time of reporting, but the potential for financial fraud and reputational harm persisted due to the nature of the compromised information.
Source: https://www.iowaattorneygeneral.gov/for-consumers/security-breach-notifications/2019/
TPRM report: https://www.rankiteo.com/company/gotofoods
"id": "got724082025",
"linkid": "gotofoods",
"type": "Breach",
"date": "4/2019",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Unknown (payment card data at '
'risk)',
'industry': 'Food & Beverage (Restaurant Franchising)',
'location': 'United States',
'name': 'FOCUS Brands Inc.',
'type': 'Parent Company'},
{'customers_affected': 'Unknown',
'industry': 'Fast Casual Restaurants',
'location': 'United States',
'name': "McAlister's Corporation",
'type': 'Subsidiary/Franchise'},
{'customers_affected': 'Unknown',
'industry': 'Fast Casual Restaurants',
'location': 'United States',
'name': "Moe's Stores LLC",
'type': 'Subsidiary/Franchise'},
{'customers_affected': 'Unknown',
'industry': 'Fast Casual Restaurants',
'location': 'United States',
'name': "Schlotzsky's Stores LLC",
'type': 'Subsidiary/Franchise'}],
'attack_vector': 'Unauthorized code (likely malware or skimming)',
'data_breach': {'data_exfiltration': 'Likely (payment card data targeted)',
'number_of_records_exposed': 'Unknown',
'personally_identifiable_information': 'Potentially (if '
'linked to payment '
'cards)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Payment card data']},
'date_publicly_disclosed': '2019-10-02',
'description': "The Iowa Attorney General's Office reported a data breach "
"involving FOCUS Brands Inc., specifically McAlister's "
"Corporation, Moe's Stores LLC, and Schlotzsky's Stores LLC. "
'The breach involved unauthorized code targeting payment card '
'data at corporate and franchised restaurants from April 11, '
'2019, to July 22, 2019. The specific individuals affected are '
'unknown.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'payment card data exposure',
'data_compromised': ['Payment card data'],
'identity_theft_risk': 'High (payment card data exposed)',
'payment_information_risk': 'High (directly targeted)',
'systems_affected': ['Point-of-Sale (POS) systems at corporate and '
'franchised restaurants']},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (common for '
'payment card breaches)',
'high_value_targets': ['Payment card data']},
'motivation': 'Financial gain (payment card data theft)',
'references': [{'source': "Iowa Attorney General's Office"}],
'regulatory_compliance': {'regulatory_notifications': 'Reported to Iowa '
"Attorney General's "
'Office'},
'response': {'communication_strategy': 'Public disclosure via Iowa Attorney '
"General's Office"},
'title': "Data Breach at FOCUS Brands Inc. (McAlister's, Moe's, Schlotzsky's)",
'type': 'Data Breach'}