US restaurant chain Landry’s revealed a security event that involved the finding of malware on the network of scores of restaurants.
A notice published on the company’s website said the malware they discovered was intended to collect payment card data from cards swiped at its bars and restaurants.
Nevertheless, Landry’s believes that only a minority of users were affected, chiefly owing to security features the company realized in 2016 after it experienced a first infection with POS malware.
Landry’s suggests that after the 2016 card breach they executed a solution that uses end-to-end encryption to conceal customer payment card data while it’s being processed at its restaurants.
By encoding payment card data on its systems, the malware couldn’t access customer data. Nevertheless, this security feature was only active for point-of-sale (POS) terminals.
The security feature that encoded card data was not active for the order-entry system — because it had no reason to be active there.
Order-entry systems are digital systems executed at bars and restaurants. They allow bar and kitchen staff to receive and manage orders using special apps. Some of these systems have card-reading terminals designed to handle customer rewards cards, so users can save preset orders and use loyalty points.
Landry’s says that “it appears waitstaff may have mistakenly swiped payment cards on the order-entry systems.”
Since the order-entry system didn’t encode any of its data, there’s now the risk that the POS malware could have collected and stolen customers’ payment card data.