Payment Information From Zoo Gift Shops Breached, May Include Names And CVVs

Image courtesy of (Chris Goldberg)

Have you bought a cuddly stuffed animal or another souvenir recently during a visit to the zoo? If so, keep an eye on your credit card statements. According to reports from financial institutions and an announcement from one affected zoo, a company that manages zoo gift shops recently had its systems breached.

“Service Systems Associates” is a pretty bland name, but it’s a company that designs and runs cafeterias and gift shops at zoos and other cultural institutions: think historical sites or museums. The news broke earlier this week when the Detroit Zoo announced that its gift shop was part of the breach. Krebs on Security also learned about the possible breach at the Detroit Zoo and eight others from sources at financial institutions, where experts check credit cards with fraudulent transactions to see which merchants the customers have in common.

Yesterday the SSA said that the breach affected nine zoos, but bank sources tell Brian Krebs that there are up to two dozen gift shops that may be involved. Much like the significantly larger recent retail breaches at retailers like Target and Home Depot, baddies gained access to the system through malware in the point-of-sale system, meaning that customers who bought items at the gift shop may have had their card numbers stolen.

The investigation is ongoing, so we don’t know for sure how this happened or what data was taken. It’s possible that customers’ names and CVV numbers (the 3-digit codes on the back of credit and debit cards) were breached as well. Transactions between March 23 and June 26 are possibly affected.

Credit Card Breach at a Zoo Near You [Krebs on Security]
Credit Card Data Breach Affects Gift Shops At Detroit Zoo [CBS Detroit]