Individuals who have wined and dined at theme restaurants such as the Bubba Gump Shrimp Company and the Rainforest Cafe at least once since 2016 may want to review their credit and debit card statements. According to a notice posted by restaurant giant Landry’s shortly after New Year’s Day, hackers were able to inject malware into an internal system that operates separately from the point-of-sale (POS) network, but which nonetheless involved payment cards.
Before discussing details about this security incident, it should be noted that Landry’s POS system was not breached. In fact, the restaurant chain operates a system that not only encrypts data but also blocks all scripts it does not recognize which means that unrecognized malware would have no effect. There was another card-reader system affected, but not one used for payments. With this in mind, the scope of the incident is sharply reduced because the credit and debit cards that may have been intercepted were not supposed to be swiped in the targeted system anyway.
When you sit at table or at the bar of the Rainforest Cafe or Del Frisco’s Grill, you probably have noticed that servers interact with more than one card reader. There is the POS for payments, which is encrypted, but there is also an order-entry system that restaurant staff members access by means of swiping cards that often hang from lanyards around their necks for easy access. In some cases, servers carry a wireless tablet with from table to table; this portable card reader can be used to swipe Landry’s Select Club cards, a nice customer loyalty and rewards program.
Between payment cards, access cards, and customer loyalty cards, it would not be unusual to expect that busy Landry’s servers would, from time to time, get these cards mixed up, which is what happened in this case. Some debit and credit cards were inadvertently swiped to place an order from the table or from the bar to the kitchen; perhaps a MasterCard was swiped instead of a Landry’s Select Club card, thus depriving some customers of points that could have been redeemed for a frozen margarita or a free side order of Cajun shrimp.
Even though Landry’s operates more than 600 restaurants, only 60 locations were affected, and individual cases are limited because most servers employed by this chain are retained based on their ability to carry out their duties with precision. This does not mean that hackers are giving up on attacking point-of-sale systems; if anything, malware targeting card readers terminals is becoming more sophisticated. The intent to breach Landry’s was certainly there, but it did not work as hackers had hoped for.