July 7, 2017

B&B Theatres, a company that owns and operates the 7th-largest theater chain in America, says it is investigating a breach of its credit card systems. The acknowledgment comes just days after KrebsOnSecurity reached out to the company for comment on reports from financial industry sources who said they suspected the cinema chain has been leaking customer credit card data to cyber thieves for the past two years.

bandbHeadquartered in Gladstone, Missouri, B&B Theatres operates approximately 400 screens across 50 locations in seven states, including Arkansas, Arizona, Florida, Kansas, Missouri, Mississippi, Nebraska, Oklahoma and Texas.

In a written statement forwarded by B&B spokesman Paul Farnsworth, the company said B&B Theatres was made aware of a potential breach by a local banking partner in one of its communities.

“Upon being notified we immediately engaged Trustwave, a third party security firm recommended to B&B by partners at major credit card brands, to work with our internal I.T. resources to contain the breach and mitigate any further potential penetration,” the statement reads. “While some malware was identified on B&B systems that dated back to 2015, the investigation completed by Trustwave did not conclude that customer data was at risk on all B&B systems for the entirety of the breach.”

The statement continued:

“Trustwave’s investigation has since shown the breach to be contained to the satisfaction of our processing partners as well as the major credit card brands. B&B Theatres values the security of our customer’s data and will continue to implement the latest available technologies to keep our networks & systems secure into the future.”

In June, sources at two separate U.S.-based financial institutions reached out to KrebsOnSecurity about alerts they’d received privately from the credit card associations regarding lists of card numbers that were thought to have been compromised in a recent breach.

The credit card companies generally do not tell financial institutions in these alerts which merchants got breached, leaving banks and credit unions to work backwards from those lists of compromised cards to a so-called “common point-of-purchase” (CPP).

In addition to lists of potentially compromised card numbers, the card associations usually include a “window of exposure” — their best estimate of how long the breach lasted. Two financial industry sources said initial reports from the credit card companies said the window of exposure at B&B Theatres was between Sept. 1, 2015 and April 7, 2017.

However, a more recent update to this advisory shared by my sources shows that the window of exposure is currently estimated between April 2015 and April 2017, meaning cyber thieves have likely been siphoning credit and debit card data from B&B Theatres customers for nearly two years undisturbed.

Malicious hackers can steal credit card data from organizations that accept cards by hacking into point-of-sale systems remotely and seeding those systems with malicious software that can copy account data stored on a card’s magnetic stripe. Thieves can then use that data to clone the cards and use the counterfeit cards to buy high-priced merchandise from electronics stores and big box retailers.

The statement from B&B Theatres made no mention of whether their credit card systems were set up to handle transactions from more secure chip-based credit and debit cards, which are far more difficult and expensive for thieves to counterfeit.

Under credit card association rules that went into effect in 2015, merchants that do not have the ability to process transactions from chip-based cards assume full liability for all fraudulent charges on purchases involving chip-enabled cards that were instead merely swiped through a regular mag-stripe reader at the point of purchase.

If there is a silver lining in this breach of a major silver screens operator, perhaps it is this: One source in the financial industry told this author that the breach at B&B persisted for so long that a decent percentage of the cards listed in the alerts his employer received from the credit card companies had been listed as compromised in other major breaches and so had already been canceled and re-issued.

Interested in learning the back story of why the United States is embarrassingly the last of the G20 nations to move to more secure chip-based cards? Ever wondered why so many retailers have chip-enabled readers at the checkout counter but are still asking you to swipe? Curious about how cyber thieves have adapted to this bonanza of credit card booty? If you answered “yes” to any of the above questions, you may find these stories useful and/or interesting.

Why So Many Card Breaches?

The Great EMV Fake-Out: No Chip for You!

Visa Delays Chip Deadline for Pumps to 2020

Chip & PIN vs. Chip and Signature


20 thoughts on “B&B Theatres Hit in 2-Year Credit Card Breach

  1. IRS iTunes Card

    Another day, another breach !

  2. Jim

    Why don’t they require businesses reported breaches that they disclose whether they were taking CHIP cards or NOT.

  3. Sadly Not Surprised

    “If there is a silver lining in this breach of a major silver screens operator, perhaps it is this: One source in the financial industry told this author that the breach at B&B persisted for so long that a decent percentage of the cards listed in the alerts his employer received from the credit card companies had been listed as compromised in other major breaches and so had already been canceled and re-issued.”

    Only to be compromised yet again by the sheer incompetence on the part of B&B Theaters. The only way this is going to at least be curtailed is to make not only the corporations legally responsible for any and all damages but also fined heavily based on GROSS income. Then we make executives making these decisions personally financially liable for their corner cutting mentalities.

    1. Security Guy

      I totally agree! We all know IT security is hard. IT security will continue to be looked down on by the C-suite, until executives are held accountable for breaches. You can’t outsource responsibility for the data you hold!

    2. PattiM

      I don’t know – the financial institutions are not in it for the love of credit cards, they’re in it for profit – whether that involves being secure or insecure. I’m not sure the current administration’s ideologies are in line with the idea of increased gov’t regulation – what do you think?

  4. B. Brodie

    wow – two years? there’s an IT manager who will be serving frappuccinos at McD’s very soon…

    1. KathyB

      I wouldn’t trust that person to even do that.

  5. Ronal Kumar

    Looks like its cheaper to pay insurance then to invest in aging systems and tighten security around them.

  6. Jordan

    Correct me if I am wrong, but won’t it only matter to the merchant that the stolen card was used AFTER it was cloned and used at that business if that business then authorized via swipe and not chip? Since B&B wasn’t where the cards were “used” they aren’t liable for the resulting fraud since they are the source and not where it was used after.

    1. Gnecht

      Research “PCI Compliance Violation.”

  7. vb

    Add this one to the long list of retailers without network egress monitoring. For two years, they had no idea what was leaving their network.

    I’d further bet that they have no network segmentation, the point-of-sale network is the same as the administrative network.

  8. K

    While I know it says Arizona in the top of the Wikipedia article, I don’t believe they’re located here in AZ. I’ve never heard of them and lower in the Wiki article it doesn’t give any other details nor on their actual site can I find a location here. Splitting hairs, but just got curious since I live here and have never heard of them.

  9. spagafus

    Maintaining PCI DSS compliance is not easy and not cheap. But it’s way cheaper that what B&B will ultimately have to pay for this breach.

  10. Jim

    I am highly disturbed. But for another reason. Who notified the card holders? I guess no one? Oh, and who notified the originating hacked business? Again? Like I say, it must not be against the law? To hack the businesses, or the clients. The only ones illegal to hack are the banks and credit card companies. And they have no responsibility to tell the customer? After all, the company was notified after two years, why so long?

  11. spagafus

    What is going on with the comments? Why are some of the disappearing?

  12. Arbee

    Re-reading this story, I found no distinction between tickets purchased on the B&B Theatres website or in person. The implication is the breach affected in-person purchases through point-of-sale / point-of-purchase vulnerabilities rather than tickets purchased on the B&B website. Is this a distinction that makes a difference? If no, sorry to bother you. If yes, which was breached — the web site or the point-of-sale / point-of-purchase stuff or the website?

  13. NomadUK

    Eh. What do you expect from an outfit that spells theatre with an ‘re’ but fails to use the correct word in the first place, ‘cinema’.

  14. Rich

    Hey Brian, FYI-this was reported to Fairmont Cinema in Sebring FL several times beginning in 2015. I guess having a Detective SGT visit their theatre several times did not warrant an investigation. If you need specific information please contact me.

Comments are closed.