Hackers Break Into Eataly's Credit Card System

NEW YORK (CBSNewYork) -- With its gourmet pizzas, hand-made pasta and fine Italian cheeses, Eataly is popular with New Yorkers and tourists alike.

But the personal information of anyone who visited during the first three months of the year could be at risk, CBS2's Sonia Rincon reported Friday.

Eataly says it first noticed a problem a couple of months ago, when several employees, who also shop at the eatery, noticed fraudulent charges on their credit cards. That's when the company says it launched an investigation.

"As soon as we found out, we posted it on our website to make sure all of our customers were informed," Executive Director of Human Resources Cleo Clarke said.

An alert to customers on Eataly's website says, "… it appears that criminals unscrupulously hacked our network system and installed a malware designed to capture payment card transaction data."

Credit security expert Paul Oster said what's troubling about that is unlike other breaches, the theft was happening in real time.

"This was capturing the data as it was being transmitted to the banks for approval," Oster said.

Eataly said the breaches happened between January and April of this year.

Clarke said they affected Eataly's markets, not the restaurants, and since then there's been a security overhaul.

"We added specific procedures, protocols to ensure that this does not happen again," Clarke said.

Some regular customers are wondering why these protections weren't in place before.

"A lot of people are just leaving the default security on whatever systems they buy, instead of actually hiring someone that knows security to actually give it a good overhaul and set it up the way it should be,' Dan Perrigan said.

"Your credit card can be compromised wherever you are," customer Antonia Cantwell added. "I think you run that risk wherever you shop, really."

Oster offered the following advice for just about anyone who shops with credit cards.

"They need to protect themselves, because, obviously, the federal government's not doing it. Eataly's not doing it. Chase, Target … so, get involved in a credit-monitoring program," he said.

And the unfortunate reality is hackers rarely get brought to justice.

"How are you going to prosecute someone who's overseas and abroad? And, again, with computer-based technology, they scramble IP addresses. It's very, very hard to find the person who did this," Oster said.

Eataly said both the NYPD and a private firm are investigating, and they do hope to find who's responsible.

"We are advising all potentially affected customers who made payment card purchases at the Eataly NYC Retail Marketplace during the relevant timeframe to check their bank accounts very carefully and immediately report any suspicious charges or activity to their banks and card issuers," Eataly said in a statement. "In addition, we are offering one year of complimentary fraud resolution and identity protection services to each of our customers who were potentially affected by this incident."

In the meantime, customers who may have been affected can sign up for a year of free protection services, Rincon reported.

In:
• Sonia Rincon