Dining giant Landry’s disclosed a data breach, Thursday, warning that malware had infected its order-entry systems to steal customers’ payment card information.
Landry’s, which owns over 600 popular American restaurants across 35 states, such as Del Frisco’s Grill, McCormick & Schmick’s, Rainforest Café and more, said that 63 of these restaurants were impacted by malware that targeted customers’ payment card data (a full list of impacted restaurants is available here).
There’s a catch. The point-of-sale (PoS) systems used to process payment card data at Landry’s restaurants – which are typically a common target by PoS malware – had end-to-end encryption enabled. Typically, this type of encryption blocks malware when it attempts to infect a PoS target. The malware instead found success targeting restaurants’ order-entry systems. These systems, which have a card reader attached, allow waitstaff to enter kitchen and bar orders and swipe Landry’s Select Club reward cards.
However, “in rare circumstances, it appears waitstaff may have mistakenly swiped payment cards on the order-entry systems,” according to Landry’s in a Thursday notification. “The payment cards potentially involved in this incident are the cards mistakenly swiped on the order-entry systems. Landry’s Select Club rewards cards were not involved.”
The malware was able to read track data from the the order-entry systems including the cardholder’s name, card number, expiration date and internal verification code. “In some instances, the malware only identified the part of the magnetic stripe that contained payment card information without the cardholder name,” according to Landry’s.
The malware infected systems between March 13, 2019 to Oct. 17, 2019, with a small number of locations affected as early as Jan. 18, 2019. The malware has since been removed from the systems, the company said.
Landry’s did not say how many payment cards were accessed as part of the breach. Threatpost has reached out for further comment.
PoS malware has been a thorn in the retail sectors’ side. In December, convenience-store chain Wawa Inc. disclosed a data breach potentially affecting all of its 850 locations, stemming from malware on its in-store payment processing systems that collected customers’ payment card data.
In the past, large brands such as Catch, Applebee’s, Checkers and North Country Business Products have also fallen victim to PoS malware. Meanwhile, new malicious PoS malware strains like PinkKite are popping up with new capabilities.
Landry’s for its part advised potentially impacted customers to closely monitor their payment card statements for any unauthorized activity.
“Customers should immediately report any unauthorized charges to the financial institution that issued the card because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner,” according to Landry’s. “The phone number to call is usually on the back of the payment card.”
