Have you dug into a plate of Tex-Mex at Chili’s recently?
If so, it may be time for a potential case of indigestion. It’s not the food; it’s a point-of-sale (PoS) breach that Chili’s discovered on Friday. Its parent company, Brinker International, gave customers a heads-up on the same day.
On May 11 we learned that some of our Guests’ payment card information from certain restaurants was compromised. We value our relationship with our Guests and are committed to sharing details as we know more here: https://t.co/xWnJ1a7Auy— Chili's Grill & Bar (@Chilis) May 12, 2018
Brinker doesn’t know how many restaurants were affected, nor how many people’s payment details got swept up by the thieves. It’s working with third-party forensics experts on the investigation, which is still assessing the scope of the breach. At this point, Brinker thinks it was limited to the past few months, between March and April.
From what it’s found so far, the company believes that malware was used to gather payment card information, including credit or debit card numbers and cardholder names from its PoS systems for in-restaurant purchases.
Brinker said that its Chili’s restaurants don’t collect taxpayer IDs, full date of birth, or federal or state identification numbers, so at least that sensitive data wasn’t compromised.
Poor Chili’s: it prides itself on being a technological innovator. In 2013, Chili’s claimed to have “revolutionized” the casual dining industry with tabletop tablets. In 2016, it introduced “a new era for online ordering” with features such as pre-order. It also announced the nationwide rollout of mobile payment on its tabletop tablets.
Unfortunately, payment systems can be both a technological innovation and a massive migraine.
We’ve seen at least 40 carwash PoS systems hacked, and their credit card data drained. In that case, the PoS system manufacturer, Micrologic, pointed the finger at vulnerabilities in the remote-access software.
That was in 2013. A year that was ushered in with a new Citadel Trojan malware variant crafted to attack POS systems using a Canadian payment card processor, closed out with the whale-sized PoS breach at Target in November, and stuffed with plenty of PoS breaches at restaurants, hotels, grocery stores, and other brick-and-mortar retailers sandwiched in between.
Restaurants that have been hit by data breaches more recently include Panera, which had a leaky database on its website for eight months. The records belonged to customers who had registered for a program to order food online.
In March, Applebee’s found PoS malware on payment systems in 167 locations across 15 states, potentially exposing customer credit card data.
Chili’s may be a technology innovator, but it’s just the latest victim of having those innovations pried open by crooks.
Brinker is advising customers who ate at a Chili’s restaurant during March or April to check their credit report and credit card statements, and to consider putting a security freeze on their credit account. The company’s advisory has details on who to contact to get all that done.