During the investigation, the company removed the malware.
Landry’s, a U.S. restaurant, hospitality, entertainment, and gaming company, recently reported that it was hit with malware that may have affected customers’ credit card information.
The corporation, run by Houston Rockets owner Tilman Fertitta, said in a statement on its website that in “rare circumstances” cards were mistakenly swiped by waitstaff on devices used to enter kitchen and bar orders, as opposed to the point-of-sale terminals, which have end-to-end encryption technology that make card data unreadable. The end-to-end encryption technology, which was installed at all Landry’s locations in 2016, was working and prevented malware from accessing card data from those encrypted devices. The payment cards affected do not include Landry’s Select Club rewards cards.
The company owns and operates more than 600 locations and 60 brands such as Landry’s Seafood, Chart House, Saltgrass Steak House, Bubba Gump Shrimp Co., Claim Jumper, Morton’s The Steakhouse, McCormick & Schmick’s, Mastro’s Restaurants, and Rainforest Café.
The malware searched for track data, which may include the cardholder’s name, card number, expiration date, and internal verification code after it was entered into the order-entry systems. In some cases, the malware only identified part of the magnetic stripe that contained payment card information without the cardholder’s name.
The timeframe of when data from the cards may have been accessed is March 13, 2019, to October 17, 2019, according to the company. At a few locations, access to the information may have occurred as early as January 18, 2019.
“In order for a security control to be effective, it must be effectively implemented,” Tim Erlin, vice president of product management and strategy at cybersecurity firm Tripwire, said in an email to FSR. “End-to-end encryption is a good security control for point-of-sale systems, but it only works when it’s present and configured correctly.
“While theft of credit cards from physical point-of-sale systems has decreased significantly in recent years, it’s clearly not completely eradicated. This incident is a good reminder to other retailers to evaluate their threat models for meaningful gaps.”
During the investigation, Landry’s removed the malware and implemented enhanced security measures and is now providing additional training to waitstaff. The company is also continuing to support law enforcement’s investigation.
Landry’s asked consumers with any questions to call 833-991-1538 from 8 a.m. to 8 p.m. Central Standard Time, Monday through Friday.