The card details of more than three million customers of Dickey's Barbecue Pit, the largest barbecue restaurant chain in the US, have been posted this week on a carding and fraud marketplace known as Joker's Stash.
The discovery was made by Gemini Advisory, a cyber-security firm that tracks financial fraud.
"We worked with several partner financial institutions who independently confirmed our findings," a Gemini Advisory spokesperson said in response to a report the company shared with ZDNet today.
The company said it discovered the breach earlier this week after cybercriminals began advertising a massive collection of payment card details named "Blazing Sun."
After analyzing the data together with its financial partners, Gemini said the data appears to had been obtained after hackers compromised the in-store Point-of-Sale (POS) system used at Dickey's restaurants.
Gemini says hackers appear to have compromised 156 of Dickey's 469 locations, with the compromised restaurants located across 30 states; and with the highest exposure being in California and Arizona.
The security firm said the card data appears to have been collected between July 2019 and August 2020.
The payment card records are mostly for cards using outdated magstripe technologies and are being sold for a median price of $17 per card.
When reached out for comment on today's report, Dickey's provided the following statement, indicating that the company is still investigating the incident.
"We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved. We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges."