Landry’s Inc, the Houston-based parent company of over 600 restaurants, casinos, and hotels across the United States, has released a blog post notice informing their customers of a data breach. Some of the restaurants potentially affected include Atlantic Grill, Bubba Gump Shrimp, Golden Nugget, Mitchell’s Steakhouse, Rainforest Cafe, Strip House, and Dos Caminos.
In their blog post, Landry’s explains that they were infected with a point-of-sale malware. Their payment processing solution, one that uses end-to-end encryption to safeguard data, fell victim to what Landry’s refers to as “rare circumstances”, in which the payment cards were evidently “mistakenly swiped by waitstaff on devices use to enter kitchen and bar orders”. In other words, this breach was likely caused by staff members bypassing the encrypted payment method to pay out customers.
The affected cards were mined between March 13th and October 17th. Information gathered from each card varies. Many of the cards had their track data mined by the malware. The track data includes the cardholder’s name, their credit card number, the expiration date, and the internal verification code. However, sometimes the malware only managed to identify the card information, so the cardholders remained anonymous.
This breach has the potential to be one of the largest restaurant breaches in recent memory. The vast number of restaurants owned by Landry’s leaves a wide attack surface. Additionally, the amount of money stolen per attack could be very high. Many restaurants owned by Landry’s, such as Morton’s, Del Frisco’s, and Mastro’s, are expensive business lunch destinations. In many cases, it’s possible that corporate credit cards with a high funds ceiling could have been swiped and ravaged.
Landry’s states that during the investigation, they manages to remove the malware and enhance their security measures, though they do not specify how. They also state that they are increasing their waitstaff training, likely focusing on the payment entering procedure and how to avoid a scenario like this. Landry’s concludes with a reminder to check your credit and monitor bank account statements to remain vigilant for any malicious activity.