The POS system was vulnerable between December 2016 and March 2017.
The POS system was vulnerable between December 2016 and March 2017.

Best American Hospitality Corp. reported that 37 of the Shoney's restaurants it manages and operates were hit with point-of-sale (POS) malware starting in late December and lasting through early March.

The locations – primarily in Tennessee but with a few in South Carolina, Georgia, Louisiana, Alabama, Mississippi and several other states – had the malware remotely installed on their POS systems resulting in the loss of customer payment card information, the company said in a statement. The malware was operating from December 27, 2016 until March 6, 2017, and for the most part pulled the card owner's name and number off the magnetic strip, although in some cases the name was not removed.

Best American Hospitality, which is based in Atlanta, said it hired Kroll security to help mitigate the problem and is recommending that its customers review their payment card statements for any unlawful purchases.

Shoney's has not yet returned a request by SC Media for further information.

The company did not state how many people might have been impacted by the breach.

John Christly, global CISO for Netsurion, did not have any first-hand information on how the cybersecurityat Shoney's is arranged, but said many owners in the restaurant business often fail to follow a few basic rules.

“Many restaurant owners set up a firewall as a basic security measure and believe their networks will be sufficiently protected,” he told SC Media. "In today's cyber world, firewalls can't just be set up and run on their own. While a network firewall is a fundamental security component, it must be actively monitored, managed and updated to be effective. Even still, a managed firewall cannot defend every threat vector."

Best American Hospitality's website does not contain any information regarding its involvement with Shoney's.