Some Chili’s restaurant locations suffered a data security incident that might have compromised customers’ payment card details.
Brinker International, a Dallas-based multinational hospitality industry company which operates 1,600 Chili’s restaurants, said it learned of the incident on 11 May. It provided additional details about the event in a press release:
…We believe that malware was used to gather payment card information including credit or debit card numbers as well as cardholder names from our payment-related systems for in-restaurant purchases at certain Chili’s restaurants. Currently, we believe the data incident was limited to between March – April 2018….
The parent company further explained that Chili’s does not store customers’ Social Security Numbers, dates of birth or other pieces of sensitive information.
To address the incident, Brinker revealed it’s currently working with third-party forensic experts. It articulated its hopes that their analysis will reveal how the instance of unauthorized access on Chili’s payment systems occurred as well as how many many Chili’s locations and customers the incident affected. Additionally, the company pledged to cooperate with law enforcement, which it notified of the incident.
In the meantime, the hospitality organization made public that it’s working to set up identity theft and credit monitoring services for affected Chili’s customers. It also said that it will post any new information of which it learns to its incident disclosure notice.
On May 11 we learned that some of our Guests’ payment card information from certain restaurants was compromised. We value our relationship with our Guests and are committed to sharing details as we know more here: https://t.co/xWnJ1a7Auy
— Chili's Grill & Bar (@Chilis) May 12, 2018
Customers who used their payment cards at a Chili’s restaurant between March and April 2018 should consider monitoring their bank and credit card statements closely. If they detect any suspicious transactions, they should notify their financial institution and/or card issuer as soon as possible along with local police and the FTC. They might also consider placing a security freeze or fraud alert on their credit reports.
News of this incident places Chili’s on a growing list of restaurants that have suffered data security incidents affecting customers’ payment cards. Those victims include Applebee’s, Shoney’s and Arby’s.
To help protect themselves against similar security events, organizations should consider how they can strengthen the security of their point-of-sale (POS) systems. Tripwire offers a unique perspective in this regard.