Landry’s owns and operates over 600 restaurants, with 60 well-known brands such as Landry’s Seafood, Chart House, Saltgrass Steak House, Bubba Gump Shrimp Co., Claim Jumper, Morton’s The Steakhouse, McCormick & Schmick’s, Mastro’s Restaurant, Rainforest Cafe, Del Frisco’s Grill, and many more.
In a “Notice of Data Breach”, Landry’s has disclosed that an unauthorized user was detected on their systems and after completing an investigation it was discovered that POS malware was present on their systems between March 13, 2019, and October 17, 2019. At some locations, the malware may have been installed as early as January 18, 2019.
This POS malware could have been used under “rare circumstances” to steal customer’s credit card information including cardholder name, card number, expiration date, and internal verification code
“We are notifying customers of an incident that we recently identified and addressed involving payment cards that, in rare circumstances, appear to have been mistakenly swiped by waitstaff on devices used to enter kitchen and bar orders, which are different devices than the point-of-sale terminals used for payment processing. This notice explains the incident, measures we have taken, and some steps you can take in response.”
In 2016, Landry’s implemented end-to-end encryption payment systems in all owned locations. Any cards swiped using devices on this end-to-end encryption system would not have been stolen by the POS malware.
Similar to an incident at Catch Restaurant, the locations owned by Landry’s also have order-entry systems with attached card readers that do not use encryption. If a waitstaff mistakenly used one of these systems to process a credit card payment, the POS malware would have been able to steal payment information and send it to the attackers.
This data breach could be the largest one affecting the restaurant industry that we have seen this past year, not only due to the amount of locations, but also due to the clientele.
Some of the restaurant properties owned by Landry’s, such as Morton’s, Del Frisco’s, and Mastro’s, are very popular with business crowds and are very expensive. This could have allowed attackers to gain access to corporate credit cards with very high limits.
Anyone who has dined at these restaurants between January 18, 2019, and October 17, 2019, should contact their credit card company and let them know what has happened.
Customers should also monitor their credit card statements for fraudulent or suspicious charges and immediately dispute them if they are not recognized.