Incident Of The Week: Quaker Steak & Lube Alerts Customers To Payment Card Incident

Remotely Accessed Point-of-Sale Terminals Used To Deploy Malware

Add bookmark

Jeff Orr

Quaker Steak And Lube

The independent owners and operators of several Quaker Steak & Lube casual dining restaurants have disclosed that customer payment card data was sent to an unauthorized source due to malware infecting the stores’ retail point-of-sale (POS) terminals over weeks to months during 2019.

Quaker Steak & Lube is a casual dining restaurant chain based in Sharon, Pennsylvania known for its chicken wings and variety of sauces. The company has 42 stores located in Florida, Indiana, Iowa, Kentucky, Louisiana, New Jersey, Ohio, Pennsylvania, South Carolina, Tennessee, Virginia and West Virginia. The company was acquired out of bankruptcy in 2015 by TravelCenters of America (T/A).

Franchise Locations Hit With Retail POS Malware

At the time of publication, 7 independently owned and operated Quaker Steak & Lube locations has issued breach disclosures. All seven locations stated that their payment card terminals were infected with malware that captured customer data, though the start and end dates varied:

Store Location

Infected POS Dates

Bloomsburg, PA

February 14, 2019 and September 6, 2019

Charleston, WV

February 14, 2019 and August 19, 2019

York, PA

June 14, 2019 and August 5, 2019

State College, PA

June 14, 2019 and August 5, 2019

Canton, OH

June 14, 2019 and August 23, 2019

Mentor, OH

July 2, 2019 and July 10, 2019

Columbus, OH

July 4, 2019 and September 6, 2019


See Related: Incident Of The Week UPDATE: Wawa Customer Payment Card Data Found on Dark Web

Remotely Accessed POS Management System Presumed To Be Vulnerability

All of the notifications point back to a common POS system managed by Midwest POS Solutions. The store owners were alerted to unusual activity relating to payment cards that may have been used at these restaurant locations and began working with third-party forensic investigators to investigate the report.

Through the investigations, it was discovered that payment card information may have been accessed as a result of the installation of malicious software on the POS system utilized at these restaurants. It was further determined that Midwest POS credentials were used to remotely access the POS system at this location, which allowed an unauthorized actor to deploy the malicious software into the point of sale system.

See Related: Incident Of The Week: Leak Discloses UN Data Breach From 2019

Information Involved In Data Incident; Incident Response Efforts

The investigations determined that payment card information such as name, card number, expiration date, and/or CVV (magnetic stripe track data) that were used at the restaurants in the disclosed periods may have been involved in this incident.

The store owners worked with multiple forensic investigative firms to conduct investigations into this incident and to assist in remediation efforts. The owners have also deployed tools to contain, disable, and remove any malware that may have been installed on its restaurant systems and enhanced existing security measures to reduce the likelihood of future incidents.

See Related: All Incident Of The Week Reports