Payment systems at several Chili’s restaurants suffer data breach
15 May 2018
International restaurant chain Brinker International confirmed in a blog post on Tuesday that payment systems at several Chili’s restaurants were hacked into by fraudsters between March and April this year, resulting in the breach of payment card information including credit or debit card numbers as well as cardholder names.
The hacking operation was discovered by Brinker International on 11th May, following which it authorised a detailed investigation to confirm the nature and scope of the breach. Even though cardholder names and payment card details were stolen, the firm added that sensitive information such as federal or state identification numbers or full dates of birth were not exposed as these details were not stored at Chili’s systems.
“On May 11, 2018, we learned that some of our Guests’ payment card information was compromised at certain Chili’s restaurants as the result of a data incident. Currently, we believe the data incident was limited to between March – April 2018; however, we continue to assess the scope of the incident. We deeply value our relationships with our Guests and sincerely apologize to those who may have been affected.
“We immediately activated our response plan upon learning of this incident. We are working with third-party forensic experts to conduct an investigation to determine the details of what happened. Below is information on how you can protect yourself and your information.
“We are working diligently to address this issue and our priority will continue to be doing what is right for our Guests. We are committed to sharing additional information on this ongoing investigation with our Guests as we learn more,” the firm said.
Brinker International owns more than 1,600 Maggiano’s and Chili’s restaurants in 31 countries, but the firm did not reveal exactly how many restaurants were affected by the data security incident, or in which countries did the hacking operation took place.
Repeated hacking of PoS terminals
News of the breach of payment systems at several Chili’s restaurants comes not long after point-of-sale terminals at around 160 Applebee restaurants that were operated by RMH Franchise Holdings were hacked into between 6th December and 2nd January, resulting in the breach of ‘certain guests’ names, credit or debit card numbers, expiration dates and card verification codes’.
In September last year, Whole Foods Market announced that payment card information of its customers were subjected to unauthorised access at certain taprooms and full table-service restaurants. Even though the breach did not impact every Whole Foods Market store, it did highlight how hackers were looking for every little opportunity to gain access to financial information belonging to citizens.
In the past, hackers were also able to breach Point of Sale servers as many as 12 hotels run by the InterContinental Hotels Group (IHG) in North America and the Caribbean, stealing hundreds of credit card details in the process.
Commenting on the latest breach suffered by Chili’s restaurants, Ryan Wilk, vice president at NuData Security, said: “Brinker proves to be taking their customer’s online security seriously by reporting the breach incident on the very same day it was discovered so that customers can take action and secure their information right away – by monitoring their credit or freezing it if required.”
“Stolen data, whether it is from this breach or the myriad of breaches in the last years, puts companies and their customers at risk. Companies are starting to implement multi-layered solutions to verify their users based on other parameters in addition to usernames, credit card numbers or passwords.
“Technology such as passive biometrics and behavioural analytics is able to verify a user based on how they behave online, so that even if the right credentials or payment details are presented a fraudulent transaction can be blocked before it goes through,” he added.
Lisa Baergen, director at NuData Security Inc., said that to combat online fraudulent transactions after the credit card information has been stolen, businesses offering services in the card-not-present (CNP) channel need to identify customers using multi-layered technologies that include passive biometrics. This technology monitors the user’s inherent behaviour, making it impossible for hackers to replicate or steal.