Darden’s continued efforts with its latest acquisition, Cheddar’s Scratch Kitchen, will now include recovery from a data breach. The company said it was notified by federal authorities that a legacy point-of-sale system at “certain Cheddar’s Scratch Kitchen restaurants,” might have been compromised in a cyberattack incident involving restaurants in 23 states. The company estimates that exposure to be 567,000 payment card numbers, although it continues to assess the scope of the incident, Darden said.
The breach affected payment card information, including card numbers, from guests who visited the Cheddar’s restaurants from November 3, 2017 to January 2, 2018.
Part of Darden’s integration of Cheddar’s into its system has been getting the brand on its proprietary point-of-sale system. This appears to have helped dam the issue.
“Upon being notified of this incident, we activated our response plan and we engaged a third-party forensic cybersecurity firm to investigate,” Darden said in a statement. “Our current systems and networks were not impacted by this incident. In fact, this incident occurred on a legacy Cheddar's system that was permanently disabled and replaced by April 10, 2018, as part of our integration process.”
“The trust our guests place in us is something we take very seriously, and we regret that this incident occurred. We deeply value our relationships with our guests, and our priority is to assist those who may have been impacted by this incident,” the company added.
Darden also arranged to have ID Experts provide identity protection services at no cost to affected guests.
The states hit by the breach are:
Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, and Wisconsin.
Darden provided a number (888.258.7250) for customers to call about the identity protection services. They can also enroll on this site.
Darden purchased 170-unit Cheddar’s in April 2017 for $780 million. The brand has slugged along, sales wise, as the parent company of Olive Garden and LongHorn Steakhouse works to get it up to operational speed. It was the only concept in Darden’s eight-brand portfolio to report negative same-store sales in the fourth quarter at negative 4.7 percent. For the entire fiscal 2018, Cheddar’s reported a comps drop of 2 percent, year-over-year.
In July, Darden made a change at the top with Cheddar’s, with president Ian Baines stepping aside. Seasons 52 president Brian Foye also left the company after more than a decade. Dave George, often credited with Olive Garden’s revival, will oversee Cheddar’s as it searches for Baines’ full-time replacement.
Baines was Cheddar’s CEO before Darden’s acquisition of the brand. He previously served as CEO and president of the company’s since-sold Smokey Bones concept and also worked at Brinker International before joining UNO Restaurant Holdings as president and CEO in January 2013. Baines started at Cheddar’s in fall 2014.
Restaurants have been popular targets of security breaches in recent months.
Quick-service chicken chain PDQ announced in June it was the target of a nearly yearlong breach from May 19, 2017 to April 20, 2018. In April, it was revealed that up to 37 million customers could have been affected by information possibly leaked on Panera’s website. Applebee’s faced down a hack of 160 units in March, while in limited service, Jason’s Deli, Arby’s, Sonic Drive-In, Chipotle, Pizza Hut, and Wendy’s grappled with breaches in recent months.