A restaurant chain has confirmed that a payment card breach affected more than three dozen of the locations it currently manages.
On 14 April, Best American Hospitality Corp. (BAHC) revealed it had received a report indicating someone had stolen payment cards used at some of the corporate-affiliated locations for Shoney’s, an “All American Style Family Restaurant” based in Tennessee.
BAHC, a privately held restaurant chain which manages Shoney’s locations and others, enlisted the help of Kroll Cyber Security, LLC, to figure out what happened. It turns out malware targeted point-of-sale (POS) equipment at the affected restaurants. Upon successful infection, the software sought out customers’ track data, or the name, card number, expiration date, and internal verification code read from the magnetic stripe of a payment card.
The restaurant chain provides more details about the breach in a statement (PDF):
“Based on the investigation, Kroll determined that some of the restaurants were subject to initial data breach from December 27, 2016 (the date of first breach varies by location), until the malware was contained on March 6, 2017. In some instances, the malware appears to have identified data from the card’s magnetic stripe that included the cardholder name and number and in other instances the card data identified by the malware did not appear to include the cardholder name. It is possible that not every cardholder name was identified.”
As of this writing, the malware is believed to have infected the POS equipment at 37 of Shoney’s corporate-affiliated locations. A list of those restaurants is available here and in the statement linked to above.
BAHC continues to work with Kroll to determine what happened and how it can better secure its locations. While that investigation moves forward, individuals who patronized any of Shoney’s affected restaurants since Christmas 2016 should review their credit reports for unauthorized activity. If they come across a charge they don’t recognize, they should report it to their card issuer immediately. Customers should also consider placing a fraud alert and/or a freeze on their credit file.
News of this incident comes approximately two months after Arby’s announced a payment card breach at its corporate restaurant locations.