US restaurant business Landry’s discloses POS malware attack at 63 locations

3 Jan 2020

Bubba Gump Shrimp Co, one of the restaurant chains owned by Landry's. Image: © wolterke/Stock.adobe.com

US hospitality company Landry’s said malware had infected its order-entry systems, leaving customers’ payment card information vulnerable.

US multi-brand dining and hospitality business Landry’s, which operates restaurants such as Bubba Gump Shrimp Co, has announced that around 63 of its 600 restaurants have been affected by a breach.

The company disclosed the breach on Thursday (2 January), warning customers that malware had infected its order-entry systems last year, leaving customers’ payment card information vulnerable. Landry’s shared a list of the potentially involved restaurant locations on its website.

The restaurant business said that in 2016 it installed a payment processing solution that uses end-to-end encryption at all Landry’s owned locations, a security measure implemented after the company’s point-of-sale (POS) computers had been infected with malware.

Landry’s wrote: “We are notifying customers of an incident that we recently identified and addressed involving payment cards that, in rare circumstances, appear to have been mistakenly swiped by wait staff on devices used to enter kitchen and bar orders, which are different devices than the point-of-sale terminals used for payment processing.”

The investigation and response

The company said that it recently detected unauthorised access to its network that supports payment processing systems and launched an investigation.

This identified the operation of malware designed to access payment card data from cards used in person on Landry’s systems at restaurants. With the end-to-end encryption on POS terminals, this data was unreadable by anyone who gained access without authorisation.

However, cards mistakenly swiped on a Landry’s order-entry system, which is designed for use with a Landry’s reward card, may be at risk. As the company noted, in rare instances, some customers cards were mistakenly swiped on the order-entry system.

The company said: “The malware searched for track data (which sometimes has the cardholder name in addition to the card number, expiration date and internal verification code) read from a payment card after it was swiped on the order-entry systems.

“In some instances, the malware only identified the part of the magnetic strip that contained payment card information, without the cardholder name.”

Landry’s said that it has now removed the malware and has implemented enhanced security measures, including offering additional training to staff.

It said that the malware affected systems between 13 March 2019 and 17 October 2019, meaning only customers who visited a Landry’s restaurant within this time frame are affected.

Preventing POS malware attacks

POS attacks are not unusual in the world of cybercrime. In the past, New York restaurant Catch was affected by POS malware, as were 160 Applebee’s locations in the US, while more than 1,000 branches of US fast food chain Wendy’s were affected by a breach in 2015. This type of attack has also been reported in other retail outlets and hotels.

The risk of being affected by POS malware is lower outside of the US, where chip readers are more commonly used for in-person payments. Magnetic strips on cards, such as those swiped in Landry’s, contain unchanging data, whereas chipped cards produce a unique transaction code each time they are used, making it more difficult to replicate payment data.

Some measures that businesses can take to protect themselves against POS malware include running whitelisting technology, which only allows pre-approved applications to run on a system. Code signing can also be used to alert businesses to tampering.

End-to-end encryption is another solution but, as with this case, it won’t work unless it’s applied to every terminal that a customer’s card could possibly be swiped through.

Kelly Earley was a journalist with Silicon Republic

editorial@siliconrepublic.com