The Houston-based steakhouse, restaurant and hospitality company Landry’s, Inc. has advised customers of a point-of-sale malware attack that stole payment card data from an order-entry system used to process kitchen and bar orders.
According to a company breach notification, Landry’s food and beverage locations typically use point-of-sale terminals featuring end-to-end encryption technology that protects the data stored on payment cards’ magnetic stripes. Orders placed on these devices were safe. However, at least some of these outlets also feature a second system intended to enter kitchen and bar orders and to swipe Landry’s Select Club reward cards. This secondary payment system does not feature the same level of protection.
In cases where the waitstaff mistakenly swiped customers’ cards on the devices lacking encryption, the payment data may have been stolen in plaintext by the attackers.
Landry’s has defined the timeframe of the data breach at most locations as approximately March 13, 2019 through Oct. 17, 2019. The company said a “small number of locations” may have been infected as early as Jan. 18.
“During the investigation, we removed the malware and implemented enhanced security measures, and we are providing additional training to waitstaff,” the company notification states. “In addition, we continue to support law enforcement’s investigation.”
Landry’s 60 brands include Landry’s Seafood, Chart House, Saltgrass Steak House, Bubba Gump Shrimp Co., Claim Jumper, Morton’s The Steakhouse, McCormick & Schmick’s, Mastro’s Restaurants, Rainforest Cafe, and the Golden Nugget hotels and casinos. The company owns and operates more than 600 properties.