Chili's got data breached, data breached, data breached
Chili's got data breached, data breached, data breached

Chili's is informing its customers that between March and April 2018 payment card information was compromised at some of its 1,600 locations and industry execs are giving the restaurant chain props for quickly coming forward once the breach was discovered.

The restaurant chain learned of the breach on May 11 and has since determined that malware had been placed on its point of sale machines enabling someone to remove payment card information including credit or debit card numbers as well as cardholder names from our payment-related systems for in-restaurant purchases, the company said.

The company did not say how many locations or customers were affected but noted it is working with an outside forensics team to determine the full extent of the breach. Chili's execs also believe its POS system is now secure.

The fact that Chili's was able to quickly react to the news of the breach is considered a good sign by John Gunn, CMO of VASCO Data Security.

"A breach is always bad news, but perhaps the silver lining here is the how quickly the breach was discovered and customers were notified. This gives hackers less time to exploit the stolen debit and credit cards and makes the breach less valuable to criminals,” he said.

Travis Smith, principal security researcher at Tripwire, also praised Chili's quick response but added there are methods available for retailers to protect their systems.

“Using application whitelisting to prevent unknown programs from running is generally the best defense against malware such as the one used to steal credit card numbers from point of sale machines. The next best defense is a properly segmented network that isolates payment systems, allowing them to only communicate with critical locations on the internet. This will allow infected machines to prevent credit card data from leaving the company's systems,” he told SC Media.

If the intruder did not access the system onsight there are any number of methods that could have been used to gain access to the chain's back-end systems.

“While PoS devices can be attacked in many ways, the method of infiltration typically falls into one of the following three categories:  Spam emails/exploit kits, scanning the Internet for default or common credentials, and compromising trusted third parties.  However, there is nothing particular in POS themselves that make them more vulnerable.  But they are more interesting to attackers because the credit card data is easily available and they aren't behind traditional network devices,” said Erin Swanson, a senior director at Demisto.


Chili's did not offer any insight into how the breach happened but Chris Roberts, Acalvio chief security architect, noted a restaurant's very nature of being a crowded, busy place lends itself to being an easy target for a cyberattacker.

"High traffic areas and hidden behind the scene areas are riddled with the very systems that retain OUR information and many restaurants still leave them open, have defaults in place, or worse, still have the login information sitting close by. Access to a PoS and their ability to repel malware is still not where it needs to be. It's too easy to tamper with them, root them or attack them in many other ways. Patching, defaults and other issues are still rife," he said.

With this breach Chili's joins a long line of restaurants and retailers who have lost customer payment card data through a POS system. Earlier this month the Hawaiian chain Zippy's was hit, with Saks, Lord & Taylor, Applebee's, Jason's Deli and Forever 21 all experienced similar problems this year.

“Payment and point-of-sale systems are among the most targeted attack vectors in the hospitality industry,” said Bryan Gale, chief product officer for CyberGRX, “Hackers will follow the path of least resistance, and any weakness in this ecosystem can result in the exposure of sensitive information and painful reputational impact. It's important to understand the level of risk exposure introduced by all third parties, but that becomes even more critical for a tier-one partner like a payment processor or point of sale solution provider.”