A major US hospitality chain has revealed that POS malware affecting scores of its restaurant brands may have led to customer card data theft over several months in 2019.
Landry’s claimed in an incident notice this week that 63 of its food and beverage and restaurant concepts — including Morton’s, Bubba Gump and Rainforest Café — had been affected.
Although the firm switched its POS card machines to an end-to-end encrypted system following a 2016 breach, order entry systems were left unprotected — and it is these that are thought to have been affected by the malware.
“Besides the encryption devices used to process payment cards, our restaurants and food and beverage outlets also have order entry systems with a card reader attached for waitstaff to enter kitchen and bar orders and to swipe Landry’s Select Club reward cards,” the note continued.
“In rare circumstances, it appears waitstaff may have mistakenly swiped payment cards on the order entry systems. The payment cards potentially involved in this incident are the cards mistakenly swiped on the order-entry systems. Landry’s Select Club rewards cards were not involved.”
Customers that visited between March 13 2019 and October 17 2019 may have been affected, although at “a small number of locations” hackers may have accessed cards as early as January 18 2019, it said.
“The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card after it was swiped on the order-entry systems,” said Landry’s.
“In some instances, the malware only identified the part of the magnetic stripe that contained payment card information without the cardholder name.”
This data is usually sold on the dark web by hackers, where it is used to create counterfeit cards. Although the advent of EMV cards has largely eradicated this type of fraud across Europe, slow adoption in the US means POS malware attacks like this still happen from time to time.
Last year, restaurant chain Huddle House suffered just such an attack after a third party POS vendor was compromised.