Thank you for reaching out to learn more about a security incident at DiBella’s Old Fashioned Submarines. We sincerely regret this happened and any inconvenience or concern it may cause. Based on our efforts, including our close collaboration with law enforcement and the payment card brands, we are hopeful your personal information is not at risk as a result of this incident or that steps have already been taken to mitigate any harm resulting from this incident. Please take a moment to read this notice. After doing so, if you still have additional questions, you can call 866-807-7469.
On August 27, 2018, the FBI and major card brands notified DiBella’s of a potential compromise of customer payment card information processed at some of our stores. According to law enforcement, the sophisticated cybercrime syndicate, FIN7, was behind the attacks and had worked to potentially gain access to payment card data on our store information systems. Since then, we have fully cooperated with the FBI and U.S. Secret Service and the payment card brands to properly assess the scope of the incident and take steps to mitigate any potential harm.
FIN7 has been responsible for launching cyberattacks on hundreds of companies across the country in not only the food services industry, but also other retail chains and stores that process payment card data. Because of the sophistication of FIN7 and the complexity of the attack, our contracted forensics firm was not able to immediately identify the root cause of any compromise for several months until a particular kind of malicious software, or “malware” was discovered on some DiBella’s store systems. According to the forensics investigation, this malware could have enabled the theft of payment card data from DiBella’s store systems. DiBella’s immediately took steps to remove this malware with the help of a third-party team of cybersecurity experts and in cooperation with the FBI.
WHAT DATA WAS INVOLVED?
According to our investigation and the intelligence provided by law enforcement, this attack targeted payment card information. This information may have included individual names, payment card numbers, expiration dates, and CVV numbers. However, because of the sophistication of the attack, we have no means by which to identify specifically which individual cards or cardholders may have been compromised. While we have not had any other reports of misuse of customer information, we cannot rule out that access and unauthorized use was still possible.
HOW DO I KNOW IF I AM AFFECTED?
The hard answer to this question is that we simply cannot be certain. FIN7’s expertise and sophistication make it difficult for the company, its card processor, and the payment card brands to know exactly how many people or card numbers were affected. We only know that cards used at some of our stores in Connecticut, Indiana, Michigan, Ohio, New York and Pennsylvania between March 22, 2018 and December 28, 2018, may have been at risk. In the case of stores in Cranberry, Pennsylvania, it is possible cards used between September 2017 and December 29, 2018, could be at risk.
Overall, it is possible as many as 305,000 payment cards could have been impacted, but we have no way to know for certain. Based on our investigation, we do not believe every card used during this window was at risk. Furthermore, many of the cardholders may have had cards replaced as a result of this activity or possibly because a card was used at another company or restaurant that was also a victim of the FIN7 attacks. However, we are identifying this conservative window out of an overabundance of caution to enable you to protect yourself.
WHAT HAS DIBELLA’S DONE IN RESPONSE TO THIS INCIDENT?
DiBella’s acted immediately once notified of the risk by law enforcement and the payment card brands. DiBella’s contracted with an approved forensics investigator to conduct an investigation of our store information systems. DiBella’s also contracted a second forensic investigation of its home office corporate systems to rule out any threats or issues to its home office systems that might somehow be related to the alleged access. We worked with the FBI, Secret Service, the payment card brands and our card processor to identify the scope of the incident and related risks and mitigation needed. DiBella’s worked to remove the malware from its affected information systems as soon as it was discovered. In accordance with PCI-DSS standards, all card issuers were notified of the potential risk to card data. If applicable and in accordance with card brand policies and procedures, any potentially impacted cards were monitored for unauthorized use or fraud. When deemed necessary by the payment card brands or issuers, any cards at risk were replaced in accordance with card issuer contracts and requirements.
Since notice of the incident, the company has continued to improve its security, to include investing heavily in improvements targeted on protecting against a recurrence of such an incident as this. We have also been continually upgrading our systems in accordance with best practices and industry standards, as well as based on the recommendations of law enforcement and our company’s security advisors.
WHY ARE YOU TELLING US NOW?
As noted above, the company has cooperated with law enforcement since the initial notice of a potential incident. As we have been advised by law enforcement that any such disclosure would not compromise any ongoing investigations, we are providing this notice. The company has not received any customer complaints or reports of misuse of their personal information before or after first notification of the potential incident. As with so many aspects of this incident, we apologize for any inconvenience or concern this incident may have caused.
WHAT DO I NEED TO DO?
As reported to DiBella’s by the payment card brands, any cards at risk because of this attack may have been already replaced by the respective card issuer. However, if you have used a credit or debit card at DiBella’s stores in the states and window of time identified in this notice, please review your credit card or bank statements for any unauthorized charges. As with any time you believe you card information is compromised, we recommend contacting your card issuer, cancelling your card and obtaining a replacement.