The popular U.S. restaurant chain Landry’s has discovered malware on the point of sale (POS) system used by 63 of the chain’s brands including Aquarium, Atlantic Grill, Bubba Gump Shrimp Co., Mitchell’s Steakhouse, Morton’s, and Rainforest Café. The malware potentially stole track data, which included card numbers, expiry dates, cardholder’s names, and verification codes.
Landry’s said in its breach notification that it had installed a payment processing system in 2016 which used end-to-end encryption for payment card data. That system prevented card data from being intercepted. However, the handheld devices used by waitstaff to enter kitchen and bar orders operated under a different system. Those handheld devices had card readers, but they were only intended to be used to swipe Landry’s Select Club reward cards. If employees mistakenly swiped credit and debit card numbers on those devices, the malware would have captured card details. According to Landry’s, the malware only scanned for payment card data. Reward card data was not captured by the malware.
The only data obtained by the attackers was from cards that had been accidentally swiped on the order entry system, which Landry’s said only occurred in rare circumstances. The malware did not always capture all credit card data. For certain customers, the cardholder name was not obtained.
For the majority of the affected locations, the malware captured customer card information between March 13, 2019 and October 17, 2019, although a limited number of locations were affected from January 18, 2019. Landry’s has not publicly disclosed how many of its customers have been affected.
The malware has now been removed and additional security has been implemented to prevent further malware attacks. Waitstaff have also received further training.
All individuals who visited one of the 63 affected Landry’s brands (detailed in the image below) between January 18, 2019 and October 17, 2019 should monitor their credit card and account statements for any sign of misuse of their card data and report any theft to their bank and law enforcement.