Published: March 7, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
Landry’s Inc., a Houston-based mega corporation operating over 600 restaurants, hotels, and casinos in 35 states, experienced its second data hack in three years. The company behind Bubba Gump Shrimp Co., Chart House, Joe’s Crab Shack, and McCormick & Schmick’s, just to name a few, announced a recent payment-card data hack sure to gives some customers a lasting case of heartburn. According to Landry’s, the data breach occurred from March to October, 2019. Other access may have happened as early as January 18, 2019.
The company says a limited number of customers at some of their food and beverage outlets had their payment card data stolen in a highly unusual and unintentional security event. They claim the hacks involved waitstaff mistakenly swiping payment cards into devices used for entering food and beverage orders, which led to the data being heisted. Landry’s points to human error as the true culprit behind the breach and claims it was not the result of a specific attack.
Confusingly, Landry’s investigation also identified the presence of malware on those devices was specifically designed to access payment card data. The company was quick to point out that security on their point-of-sale (POS) payment devices was not compromised. The addition of encryption to Landry’s POS devices was the result of a previous hack in 2016. As a result, using the end-to-end encryption technology makes the data unreadable and useless.
The order-entry systems did not use encryption and the existing malware was able to track and steal card data from those systems. While the breach is still under investigation, Landry’s claims they have removed the malware and says they are providing increased training for their employees regarding POS terminals. They also encourage customers to keep a close check on their payment cards in order to spot unexpected charges. If anything is amiss, contact the card issuer right away. Stay on top of charges for at least one year.
In 2016, hackers installed a data mining program on POS devices at several of Landry’s operations. It was a worldwide attack believed to target particular POS weaknesses at specific locations only. Landry’s claims a root cause of the breach was merchants who were using outdated systems and also those who failed to keep operating systems updated. It’s a cautionary reminder of the importance of keeping systems and software patched and up-to-date, whether the data theft ends up being accidental or intentional.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com