Retail Point-Of-Sale Malware Hits Landry’s Restaurant Group

Waitstaff Potentially Scanned Payment Cards On Infected Order-Entry Systems

Add bookmark
Jeff Orr
Jeff Orr
01/03/2020

Landrys Restaurant Group

Consumer and commercial payment cardholders believe that their card and personally identifiable information (PII) will be safe when making transactions. However, the lack of adoption of both secure terminal equipment and two-factor (2FA) authentication by cardholders is keeping cyber-attackers in business.

Houston-based Landry's restaurant group recently disclosed unauthorized access to its network that supports the payment processing systems for its restaurants and food and beverage outlets over a 7-month period during 2019. Upon discovering the breach of its systems, the company launched an investigation and engaged an external cyber security firm to assist.

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

What makes this point-of-sale (PoS) terminal malware different than other recent retail disclosures is that Landry’s had prepared for this type of malware attack. The organization started deploying PoS terminals with point-to-point encryption in 2016 for staff to use at restaurant payment stations.

The data incident occurred on terminals intended to be used exclusively for entering kitchen and bar orders along with swiping restaurant brand loyalty cards. Those terminals did not have the encryption capability like the others and were susceptible to the malware. The company believes that some payment cards were mistakenly processed by waitstaff on those infected order terminals and could have had payment card data captured transferred to an unauthorized source.

See Related: Incident Of The Week Archive

The general timeframe when the malware was present on the order-entry systems was March 13, 2019 to October 17, 2019. The investigation further found that access may have occurred as early as January 18, 2019 at a limited numbers of locations. Landry's provided a list of restaurants and food and beverage outlets involved in the data incident.

As a group, Landry’s owns and operates more than 600 properties, including more than 60 brands such as Landry's Seafood, Chart House, Saltgrass Steak House, Bubba Gump Shrimp Co., Claim Jumper, Morton's The Steakhouse, McCormick & Schmick's, Mastro's Restaurants and Rainforest Café. It also manages five Golden Nugget Hotel and Casino locations operated by affiliated entities, along with several hotel properties and other entertainment destinations.

See Related: Top 8 Industries Reporting Data Breaches In The First Half Of 2019

How The Payment Card Terminal Malware Works?

The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card after it was swiped on the order-entry systems. In some instances, the malware only identified the part of the magnetic stripe that contained payment card information without the cardholder name.

During the investigation, Landry's removed the malware and implemented enhanced security measures, and Landry's is providing additional training to waitstaff. The law enforcement investigation is still on going.

Payment cards are easy pickings for cyber attackers. The combination of retail PoS terminals without encryption and cardholders not adopting chip + PIN cards significantly increases the risk for malware, skimming and compromised data.

See Related: Lessons Learned: The Cautionary Tales Of Enterprise Cyber-Attacks