Restaurant Chain Landry's Investigates Malware IncidentHouston-Based Firm Describes How Card Data May Have Been Breached
Landry's Inc., a Houston-based company that owns and operates over 600 restaurants, hotels, casinos and other entertainment establishments in the U.S. and around the world, is investigating an apparent data breach after its security team found malware within a system.
The exact size and scope of the breach is not known, but Landry's began notifying customers on Dec. 31, according to a company statement. The security incident appears to have started around March 13 and lasted until about Oct. 17, the company notes. But some exposure could have started as early as January, the company adds.
This is the second time in the last four years that Landry's has been hit with malware targeting payment information. In 2016, the company announced it had investigated attacks at its restaurants and other properties dating back to 2014 and 2015 (see: Landry's Reveals Details of POS Breach).
Malware Targeting Payment Data
Although Landry's now uses end-to-end encryption within its payment system and its point-of-sale devices, it appears that some customers' payment card data was exposed as a result of the malware when waitstaff at some locations mistakenly swiped cards on terminals used to enter kitchen and bar orders, according to the company.
"In rare circumstances, it appears waitstaff may have mistakenly swiped payment cards on the order-entry systems," the company says. "The payment cards potentially involved in this incident are the cards mistakenly swiped on the order-entry systems."
The unidentified malware that the Landry's security found appears to have targeted customers' track data found on the magnetic stripe of payment cards, according to the company. This can include the cardholder name, the card number, expiration date and internal verification code, the company notes.
In some cases, the malware only identified the part of the magnetic stripe that contained payment card information without the cardholder name, the company notes. Because Landry's used end-to-end encryption within its point-of-sale devices, the malware couldn't read or collect most payment and credit card data it collected, the company states. But when the staff swiped cards at the other terminals, customer data may have been exposed, it acknowledges.
Landry's has published a list of 63 restaurants and other establishments, where customers data could have been exposed. Sites include Bubba Gump Shrimp Co., Morton's Steakhouse, the Golden Nugget and Landry's Seafood.
Landry's did not say when it first discovered the malware within its payment systems, but the company notes that it's been removed. Law enforcement and a private security firm are assisting in the investigation.
Over the last several weeks, security analysist have been issuing warnings about hackers targeting payment card data at merchants.
In November and December, Visa issued several warnings that sophisticated hacking groups were targeting "fuel dispenser merchants" throughout North America by planting malware within the corporate networks that processed payment from fuel pumps (see: Visa: Gas Station Networks Targeted to Steal Card Data).
Meanwhile, the Wawa convenience store chain announced in December that it is investigating how attackers planted malware on point-of-sale devices at nearly all of its over 850 locations throughout the East Coast (see: Wawa Stores: POS Malware Attack Undetected for 8 Months).
And in October, fast-food chain Krystal announced it was investigating a payment card "security incident" that affected as many as 228 of its restaurants across southeastern U.S. states. Attackers targeted the company's payment card processing systems (see: Fast-Food Chain Krystal Investigates Card 'Security Incident').
Restaurants in the Crosshairs
Security analysts say that the hospitality industry continues to struggle with point-of-sale malware, also known as scrapers, which attempts to capture unencrypted card details while those are briefly held in a device's RAM.
In addition, cybercriminals can sometimes capitalize on vulnerabilities in an organization's infrastructure, then try to move laterally to get access to payment processing systems and access unencrypted data, analysts say.