According to a company statement and accompanying list of breached locations, the Coppell, Tex.-based chain in early March began receiving reports from locations that their POS systems were behaving strangely. An examination by the POS vendor turned up malware at certain locations, resulting in a methodical, company-wide security review and remediation effort. Texas was the state most hard hit by the attack, with 87 locations impacted.
A forensics firm further investigated the incident, and confirmed in a July 19 report to Cicis that most stores were compromised in March 2016. However, Cicis notes in its statement that a “smaller percentage” of affected restaurants had intrusions dating back to 2015. The company also acknowledged that payment card information “may have been compromised,” by the malware strain.
“While we believe most of the breaches were remedied within a few weeks of the intrusion, out of an abundance of caution we are not declaring some restaurants as threat-free until they were reviewed by our forensic analyst this month,” the company added.
"Point-of-sale systems are widely considered to be the weakest link in the security chain for retail businesses. Because checkout terminals are in constant use and usually patched less frequently, they are more vulnerable to malware that steals cardholder data," said George Rice, senior director, payments at HPE Security - Data Security, in comments emailed to SCMagazine.com. "To guard against such threats, “many leading retailers and payment organizations have already adopted data-centric security techniques, such as point-to-point encryption and tokenization to remove live data from the reach of advanced malware in insecure systems.”