Chili's to-go signs hangs outside a restaurant. The brand is cutting its menu to improve operations.

flickr: Mike Mozart

Chili’s believes malware was used to gather payment card information, including credit or debit card numbers and cardholder names, from its payment-related systems.

Some Company-Run Chili's Hit with Security Breach

Brinker is still looking into the scope of the incident.

Brinker International released a statement May 12 stating that an undisclosed amount of Chili’s guests had their payment card information compromised in a “data incident.” Brinker believes the incident was limited to between March–April 2018, however, the company continues to look into the scope of the breach.

READ MORE: A better Chili’s begins to take shape.

Chili’s said it learned of the unauthorized access at corporate-owned restaurants on May 11 and “immediately activated our response plan.” The chain is working with third-party forensic experts to investigate the matter. Law enforcement was notified as well.

Chili’s said it believes that malware was used to gather payment card information, including credit or debit card numbers and cardholder names, from its payment-related systems for in-restaurant purchases at certain company-run locations.

“Payment and point-of-sale systems are among the most targeted attack vectors in the hospitality industry," Bryan Gale, chief product officer, of CyberGRX said. "We’ve seen this happen over and over again—at Sonic, Chipotle, Wendy’s, Applebee’s and now Chili’s. As companies continue to evolve into an interconnected network, including franchisees, suppliers and vendors, the importance for ensuring appropriate levels of security at every node is all the more critical. Hackers will follow the path of least resistance, and any weakness in this ecosystem can result in exposure of sensitive information and painful reputational impact. It’s important to understand the level of risk exposure introduced by all third parties, but that becomes even more critical for a tier-one partner like a payment processor or point of sale solution provider.”

As of March 28, Chili’s had 945 corporate stores (940 domestic). Brinker also operates 52 Maggiano’s. There are 689 franchised Chili’s (314 domestic).

Chili’s is coming off a promising first quarter to fiscal 2018. Brinker reported net income of $46.9 million, or $1.02 per share, compared with $42.4 million, or 86 cents per share, year-over-year. Revenue was $812.5 million, up from $810.6 million.

Chili’s company-owned same-store sales dropped 0.4 percent, while U.S. franchise units fell 3.2 percent, and international declined 0.2 percent. Maggiano’s saw a 0.5 percent lift in comps.

Restaurants continue to be a target for hackers. In March it was revealed that RMH Franchise Holdings and its more than 160 Applebee’s restaurants were hit with a security breach. Shoney’s admitted an incident in April.

In the limited-service arena, Jason’s DeliArby’sSonic Drive-InChipotlePizza Hut, and Wendy’s grappled with breaches.