2020 Merchant Credit Card Data Breach List

Updated June 2020, not all inclusive. Is your business safe from a credit card data breach? The list below highlights some credit card data breaches and the primary cause at the time the data breach was announced. While malware reigns as a top cause of payment data breaches, employee theft is still a problem too. To make the list, typically companies are only listed if full card data is stolen.


January 2020- Landry’s owns over 600 popular American restaurants across the U.S., including Del Frisco’s Grill, Joe’s Crab Shack, Bubba Gump, Rainforest Café and more. This is the second data breach since 2016, a result a POS malware. Some waitstaff were accessing an old system with card swipers without end to end encryption. TIP: When updating systems, remove all old terminals from facility; leaving on site commonly leads to reuse. As a consumer, avoid any place that uses card swipers.

Retail & Ecommerce

January 2020: Hanna Andersson– online store malware Magecart in their Salesforce Commerce Cloud (previously known as Demandware). I loved this brand when my kids were growing up. Criminals are hacking into vulnerable e-commerce platforms used by online stores and inject malicious JavaScript-based scripts into checkout pages that collect the customers’ payment info and send it to attacker-controlled remote sites. This is an old problem that updated checkout code prevents.

March 18, 2020: TrueFire online store malware Magecart attack, stolen card numbers for 6 months. Ouch.

June 15, 2020: Claires online store only, Magecard attack. Uses Salesforce Commerce Cloud, previously known as Demandware. This appears to be a new twist on Magecart breach.


April 22, 2020 Paay, a NY card payments processor startup, left a database containing 2.5 million card transaction records accessible online without a password. The exposed payment transaction belonging to 15 to 20 merchants includes full plaintext credit card number, expiry date and the amount spent.

January 28, 2020 Cornerstone Payment Systems, Christian-friendly company that does “not process credit card transactions for morally objectionable businesses,” left online a database with customer payment transaction data. The database contained 6.7 million records since 2013, and was updating by the day. The database was not protected with a password, allowing anyone to look inside. While there was not full card data taken, I felt notable to list.

April 2020 nCourt runs two payment sites courtpay.org and utilitypay.org using a system called GovPSA. Only hashed data was stolen, but newsworthy because affected data was from a legacy system, which commonly have security issues. The first and last four digits were exposed with other card data from at least three years’ worth of transactions up to and including November 2019.

April 6, 2020: Key Ring, a digital wallet app, left stored customer data of 14 million users accessible in an unsecured database. Users store scans and photos of membership and loyalty cards to a digital folder in their mobile device. The exposed data includes names, full credit card details (including CVV numbers)

North Country Business Products (NCBP), a Minnesota-based provider of point-of-sale (POS) products, initial breach report roughly January 2, 2019 to January 25, though for most, the window is just a day or two. Mostly restaurants and small businesses, usually “level 4” merchants requiring a a PCI Council Qualified Integrators and Resellers for Point of Sale installation. QIRs are integrators and resellers specially trained by PCI Security Standards Council to address critical security controls while installing merchant payment systems. North Country Business Products has a lot of QIR’s. At least 139 impacted restaurants with credit card data breach dates here. NCBP POS systems are installed at over 6,500 locations.

Don’t be the next credit card data breach victim!

Christine Speedy is Qualified Integrator and Reseller certified by the Payment Card Industry Security Standards Council. QIRs are integrators and resellers specially trained by PCI Security Standards Council to address critical security controls while installing merchant payment systems. QIRs reduce merchant risk and mitigate the most common causes of payment data breaches by focusing on critical security controls. Call Christine for technology, merchant services and check processing needs.

Leave a Reply

Your email address will not be published. Required fields are marked *