Popular NYC restaurants Catch NYC, Catch Roof and Catch Steak discovered and removed malware on their point-of-sale (PoS) systems — but not before it exposed credit-card information from unknowing diners.
Catch Hospitality Group, which owns the three NYC hotspots, said in a data-breach notice this weekend that data was exposed for Catch NYC and Catch Roof between March 19 through Oct. 17, and for Catch Steak (which opened just this fall) between Sept. 17 through Oct. 17.
“The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date and internal verification code) read from a payment card as it was being routed through these PoS devices. There is no indication that other customer information was accessed,” said Catch Hospitality Group in an online notice.
PoS systems allow customers to make transactions using their credit cards, and typically include a cash register and credit card reader. Catch Hospitality Group said that in this incident, the malware was used on PoS systems at the bar within the affected restaurants.
The Catch restaurants also use PoS devices that waiters bring to the table, so that guests can pay from their tables – but these devices use point-to-point encryption technology and were not affected, said the company.
“The attackers were apparently unable to monitor transactions from the portable PoS devices due to the use of point-to-point encryption,” Craig Young, computer security researcher for Tripwire, told Threatpost via email. “It’s rather puzzling why encryption would not be used on all connections particularly in response to various other merchants falling to similar hacks in the past.”
Beyond its flagship restaurant Catch NYC, Catch Hospitality Group has opened branches of the popular seafood restaurant in various locations across the U.S. and Mexico (including Los Angeles, Las Vegas and Playa del Carmen); these other locations were not affected, however. Catch Hospitality Group did not say how many customers were impacted; Threatpost has reached out for further comment.
“During the investigation, we removed the malware and implemented enhanced security measures, and we continue to work with cybersecurity experts to evaluate additional ways to enhance the security of payment-card data,” said Catch Hospitality Group. “In addition, we have reported the incident to our payment processor and are supporting an investigation by law enforcement.”
With the holidays approaching and online shopping activity ramping up, PoS malware is a top concern for retailers.
In the past, large brands like Applebee’s, Checkers and North Country Business Products have fallen victim to PoS malware. Meanwhile, new malicious PoS malware strains like GlitchPOS and PinkKite are popping up with new capabilities bent on stealing payment-card data.
“Point-of-sale systems are an easy target for cybercriminals who can find a soft point to inject their malware and then just siphon off credit-card information without breaking a sweat,” Robert Capps, vice president of market innovation for NuData Security, told Threatpost. “Restaurants and chains must keep a sharp eye out for these intrusions with continuous monitoring and updating patches across the network…. Leveraging a fully integrated multi-layered security approach that includes passive biometrics is one way to nullify the value of stolen information and stop incidents of fraud.”
Catch Hospitality Group for its part recommends that users review their payment-card statements for any unauthorized activity: “You should immediately report any unauthorized charges to your card issuer because payment-card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card.”
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.