Landry’s, an American multi-brand dining, hospitality, entertainment, and gaming corporation, recently disclosed a point-of-sale (POS) malware attack that stole the company’s payment card data from its order-entry system. The security incident affected around 63 Landry’s restaurants and bar brands.
Landry’s stated the malware was active on its networks from March 13, 2019, to October 17, 2019, and for some locations, it was active since January 18, 2019.
In an official notice, the company stated the malware was designed to collect payment card data from cards swiped at its chain of bars and restaurants. However, Landry’s authorities stated that the impact of the malware attack will be low due to security features it implemented after the company experienced its first malware infection in 2016.
Landry’s claimed that they’ve implemented end-to-end encryption to hide customer payment card data. With this, the malware couldn’t access customer card data even it presents in the system. The company also disclosed a list of affected restaurants and beverage outlets, that it owned, which are impacted in the incident.
“The payment cards potentially involved in this incident are the cards mistakenly swiped on the order-entry systems. Landry’s Select Club rewards cards were not involved,” Landry’s clarified.
The company urged its customers, who used their payment cards at their premises last year, to review their payment history for any fraud. Landry’s also stated that it is working with law enforcement and a forensics firm to investigate the incident.
“Although the investigation identified the operation of malware designed to access payment card data from cards used in person on systems at our restaurants and food and beverage outlets, the end-to-end encryption technology on point-of-sale terminals, which makes card data unreadable, was working as designed and prevented the malware from accessing payment card data when cards were used on these encryption devices,” Landry’s said in a statement.
“Besides the encryption devices used to process payment cards, our restaurants and food and beverage outlets also have order-entry systems with a card reader attached for waitstaff to enter kitchen and bar orders and to swipe Landry’s Select Club reward cards. In rare circumstances, it appears waitstaff may have mistakenly swiped payment cards on the order-entry systems,” the statement added.