Payment cards mistakenly swiped on unencrypted systems

Payment cards used at dozens of US restaurants have been impacted by malware found on systems intended for entering bar and kitchen orders and swiping rewards cards.

In a recent breach notification, restaurant operator Landry’s said that “in rare circumstances, it appears waitstaff may have mistakenly swiped payment cards on the order-entry systems.”

Landry’s said that unlike its point-of-sale (POS) terminals, these systems do not secure payment card data with end-to-end (E2E) encryption.

The Houston-based company, which operates more than 600 restaurants, hotels, casinos, and other entertainment establishments worldwide, said payment cards used in 63 restaurants between March 13 through October 17 last year were potentially impacted, including well-known chains such as the Holiday Inn, The Westin, and Bubba Gump Shrimp Co.

A “small number of locations” may have been affected as early as January 18, 2019, it added.

The malware is reported to have targeted the ‘track data’ found on the magnetic stripe of payment cards, comprising cardholder names, card numbers, expiration dates, and internal verification codes of an undisclosed number of individuals.

In some cases, however, the malware only accessed a part of the magnetic stripe containing payment card information minus the cardholder name, Landry’s said.

Landry’s emphasized that its POS terminals (as well as its rewards cards) were unaffected by the attack.

“The end-to-end encryption technology on point-of-sale terminals, which makes card data unreadable, was working as designed and prevented the malware from accessing payment card data when cards were used on these encryption devices,” it said.

“During the investigation, we removed the malware and implemented enhanced security measures, and we are providing additional training to waitstaff,” it said.

“In addition, we continue to support law enforcement’s investigation.”

E2E encryption was installed on its POS systems after discovering a previous payment card breach at its restaurants in 2016, which had impacted its customers from 2014 onwards.

Laundry’s disclosure is the most recent in a string of successful POS attacks on US restaurant chains in recent months, including three within a few days of each other in November – On The Border, Catch Hospitality Group, and Church’s Chicken.

Other major brands to fall prey to POS malware in 2019 included Krystal, Checkers’ drive-in restaurants, Planet Hollywood-owner Earl Enterprises, and Focus Brands-owned Moe’s Southwest Grill, McAllister’s Deli and Schlotzky’s, The Daily Swig reported.

Landry’s has advised customers to “closely monitor their payment card statements for any unauthorized activity” and “immediately report any unauthorized charges to the financial institution that issued the card.”

The Daily Swig has reached out to Landry’s for comment.

YOU MIGHT ALSO LIKE Travelex pulls systems offline after NYE malware attack