Landry’s, Inc., which owns and operates several restaurant chains, yesterday announced that it had “received reports of unauthorized charges on certain payment cards after the cards were used legitimately at some of our restaurants.”
“We immediately began an investigation after receiving these reports and have engaged a leading cyber security company to investigate this matter,” Landry’s said in a statement [PDF]. “We are also working with our processor and payment card networks.”
The data potentially exposed includes cardholder names, card numbers, expiration dates and verification codes.
Landry’s owns and operates more than 500 properties worldwide, including more than 40 brands such as Bubba Gump Shrimp Co., Chart House, Claim Jumper, Landry’s Seafood, Mastro’s Restaurants, McCormick & Schmick’s, Morton’s The Steakhouse, and Rainforest Cafe.
At this point, Landry’s says it doesn’t know how many of its properties may be affected. “Even though we will not know the full scope of this incident until the investigation is completed, we will work vigilantly to address any potential issues that may affect our customers,” the company stated.
“Well before we learned of this, Landry’s began implementing end-to-end encryption at its locations, which means that card data is encrypted when it is swiped and it remains encrypted throughout our system,” Landry’s added. “We began implementing end-to-end encryption even before we received these reports and approximately 92 percent of our locations have been converted.”
Investigative reporter Brian Krebs, who first broke the news of the Landry’s breach, says industry sources have told him it appears to have started in May 2015.
“Cybercrime costs businesses more than $300 billion worldwide, and a majority of it is due to stolen credit cards or identity information — items of significant monetary value to a hacker,” Netsurion chief of security and compliance Brad Cyprus told eSecurity Planet by email. “As 2015 draws to a close, the frequency of threats is not slowing down — if anything, the pace of the busy holiday season has served as a distraction for businesses like restaurants, small hotels and hospitality chains.”
“Prioritizing security needs and resolving to outsource data and network security should be business imperatives for 2016, using minimally invasive solutions, rapid response times and state-of-the-art technology to secure customer data for businesses who can’t or simply don’t want to manage security themselves,” Cyprus added.