Malware was discovered on point of sales systems at more than 160 Applebee’s restaurants, exposing credit card information from unknowing diners.
RMH Franchise Holdings, which owns and operates more than 160 Applebee’s stores across the U.S., said that it recently discovered malware infecting its point of sale systems (POS). The malware may have enabled hackers to steal certain guests’ names, credit or debit card numbers, expiration dates and card verification codes processed during limited time periods.
Stores were impacted on varying dates, with most POS systems first hit in either November or December 2017 until January, according to RMH’s website.
“RMH believes that unauthorized software placed on the point-of-sale system at certain RMH-owned and -operated Applebee’s restaurants was designed to capture payment card information and may have affected a limited number of purchases made at those locations,” the company said in a statement.
Upon learning of a potential incident, RMH told Threatpost it promptly launched an investigation, obtained the help of leading cyber security forensics firms, and reported the matter to law enforcement.
“Due to existing security measures that were already in place at RMH, the incident had been contained by the time that it was discovered on February 13, 2018,” an RMH spokesperson told Threatpost.
RMH said it operates its point-of-sale systems isolated from the broader Applebee’s network, and this notice applies only to RMH-owned Applebee’s restaurants. The company did not respond to a question asking what type of POS device or malware was used in its Applebee’s stores targeted in the attack.
POS malware is a growing menace for retailers in the hospitality industry. Most recently, in January, fashion retailer Forever 21 revealed that malware had sat on certain POS terminals for almost eight months in its stores, allowing hackers steal consumer credit card data from the company.
Other impacted companies in 2017 include Intercontinental Group, which said its payment card systems in 12 of its hotels had been breached. The Hard Rock Hotels and Casinos franchise also was stung by POS malware that managed to infect the chain’s inventory management SaaS application.
“We’re seeing more of these types of breaches happening… it’s an industry wide problem as more retailers look to an ecosystem of providers to bring in third party systems like point of sale and inventory management solutions,” Fred Kneip, CEO of security firm CyberGRX told Threatpost. “As of today a lot of stores are playing catch up with security, and it can take months or years to realize that compromises have happened on third party systems.”
In a statement, RMH urged customers to monitor their bankcard statements. But the ultimate security safeguards against POS malware must come from retailers themselves, Kneip said.
“Chain restaurants not only need a real-time feed of threats emanating from vendors to mitigate malicious access to their networks, they need to measure and monitor how other third parties like franchisees and divisions are managing this type of risk,” he said.