A restaurant was informed about an IT security incident at a software provider used whose platform is used for ordering, administration and payments. Attackers gained unauthorized access to personal customer data, including names, email addresses and, in some cases, credit card details. The trigger was the misconduct of an external accounting employee who accidentally entered her access data on a fake login page that looked deceptively similar to the original platform.
Please note that the present case is based on an actual incident. In order to protect the identity of the parties involved, fictitious names are used for the companies and persons involved.
A restaurant that offers online ordering was notified of an IT security incident at one of its software vendors. This provider operates the QuickEatery platform, which the restaurant uses for the ordering system, administration and payment, among other things.
The operator of QuickEatery discovered unauthorized access to customer data. Personal information such as names, e-mail addresses and, in some cases, sensitive data, including the last four digits of the credit cards stored in the system, were affected. QuickEatery’s provider then informed all affected corporate customers, including the restaurant mentioned.
However, the incident was caused by the misconduct of a third party. Criminals gained access to the access data of the QuickEatery platform through the careless behavior of an employee of an external accounting firm. The latter tried to log in to the platform to check incoming payments and invoices for the operator of QuickEatery. When this did not succeed, she searched online for an alternative way to register – and found it.
In the process, she came across a website that looked deceptively similar to QuickEatery’s original site, but had been manipulated by attackers. The credentials entered there were transmitted directly to the threat actors.
