Pierluigi Paganini October 07, 2019

Four restaurant chains in the U.S. disclosed payment card theft via PoS malware that took place over the summer.

Four restaurant chains in the United States disclosed security breaches that impacted their payment systems over the summers, crooks used PoS malware to steal payment card data of the customers.

The restaurant chains are McAlister’s Deli, Moe’s Southwest Grill, Schlotzsky’s, and Hy-Vee, they confirmed the presence of PoS malware at certain locations.

Moe’s, McAlister’s and Schlotzsky’s are owned by Focus Brands, the fact that they simultaneously disclosed the payment card breaches suggests that attackers were able to compromise some infrastructure shared by the two restaurant chains.

The three restaurant chains confirmed that hackers compromised the payment systems in a period between April 29, 2019 and July 22, 2019. 

“A thorough investigation is being conducted and is nearly complete. It appears that unauthorized code designed to copy payment card data from cards used in person was installed in certain corporate and franchised restaurants at different times over the general period of April 29, 2019 to July 22, 2019.” reads an excerpt of a data breach notification published by the three brands.

Only Schlotzsky’s reported that the attacks begun on April 11, 2019, the other two confirmed that attacks started on April 29.

The three restaurant chains reported that the PoS malware was discovered only at certain locations, and at most locations it was present for only a few weeks in July.

The brands did not reveal the number of impacted customers.

Customers were initially alerted about the incident on August 20, when the restaurant chains were investigating the security incidents.

The PoS malware was designed to capture data from the magnetic stripe of a payment card during the payment process, including the card number, expiration date, and internal verification code, and sometimes it the cardholder name.

The fourth brand that suffered a payment card breach is Hy-Vee, the restaurant chain provided an update to the notice of payment card data incident released on August 14.

The company confirmed that on July 29, crooks compromised some payment processing systems, in this case, the PoS malware remained active more than a month.

The update provided by the company revealed that infections at the fuel pumps began on December 14, 2018, while payment systems at restaurants and drive-thru coffee shops were infected starting January 15.

“The specific timeframes when data from cards used at these locations involved may have been accessed vary by location over the general timeframe beginning December 14, 2018, to July 29, 2019 for fuel pumps and beginning January 15, 2019, to July 29, 2019, for restaurants and drive-thru coffee shops.” reads the update provided by the company. “There are six locations where access to card data may have started as early as November 9, 2018, and one location where access to card data may have continued through August 2, 2019.”

The company also published a Location Look Up Tool to determine the Hy-Vee impacted locations.

Pierluigi Paganini

(SecurityAffairs – restaurant chains, PoS malware)

[adrotate banner=”5″]

[adrotate banner=”13″]