Landry’s restaurant chain disclose POS malware incident
US restaurant chain Landry’s disclosed a security incident that involved the discovery of malware on the network of hundreds of restaurants.
According to a notice published on its website, the company said the malware they found was designed to collect payment card data from cards swiped at its bars and restaurants.
However, Landry’s believes that only a small number of users were impacted, primarily due to security features the company implemented in 2016 after it experienced a first infection with POS malware.
A weird card breach
Landry’s says that after the 2016 card breach they implemented a solution that uses end-to-end encryption to hide customer payment card data while it’s being processed at its restaurants. By encrypting payment card data on its systems, even if malware was present on its restaurant network, the malware couldn’t access customer data.
However, this security feature was only active for point-of-sale (POS) terminals — the payment card readers used by waitstaff when customers pay for their meals, drinks, and other orders.
The security feature that encrypted card data was not active for the entry-order system — because it had no reason to be active there.
Order-entry systems are digital systems implemented at bars and restaurants. They allow bar and kitchen staff to receive and manage orders using special apps. Some of these systems have card-reading terminals designed to handle customer rewards cards, so users can save preset orders and use loyalty points.
Landry’s says that “it appears waitstaff may have mistakenly swiped payment cards on the order-entry systems.”
Because the order-entry system didn’t encrypt any of its data, there’s now the danger that the POS malware could have collected and stolen customers’ payment card data.
63 bar and restaurant brands impacted
Landry’s says they found the malware on the networks of 63 bar and restaurant brands the company currently manages. A list of impacted brands and their locations is available here.
The company says that in most instances, the POS malware was active on the networks of bars and restaurants from March 13, 2019, to October 17, 2019, although for some locations, the malware was active since January 18, 2019.
It is very likely that most customers who paid with a payment card at Landry’s-owned bars and restaurants are not impacted.
The company is now advising customers who used their cards at their premises over the last year to review card payment history for any possible fraud.
Additional details and instructions for possibly impacted customers are available on the company’s official security notice. Landry’s said it’s currently working with law enforcement and a forensics firm to investigate the incident.