The Huddle House restaurant chain reported it has closed a point-of-sale data breach that existed one of its third-party vendors from August 2017 until now.
The malware resided on a third-party system and exposed payment card information at some of the chain’s corporate and franchised locations. The company became aware of the situation when it was informed by law enforcement and its credit card processor that some of the locations were infected with malware. The information possibly involved includes cardholder name, credit/debit card number, expiration date, cardholder verification value, and service code.
“Criminals compromised a third-party point of sale (POS) vendor’s data system and utilized the vendor’s assistance tools to gain remote access—and the ability to deploy malware—to some Huddle House corporate and franchisee POS systems,” the company said in a statement.
At this time Huddle House does not know how many people nor which locations were affected, but it is warning customers who used a payment card at any of its locations from August 1, 2017, to today that their information may be at risk.
Huddle House said it has hired an outside forensic firm to investigate the situation.
A number of similar point-of-sale attacks hit a wide variety of companies last year including British Airways and Ticketmaster with the attacks being attributed to the threat actor group Magecart. At this point, Magecart has not been mentioned as part of the Huddle House situation.