Four U.S. Food Chains Disclose Payment Card Theft Via Point of Sale Malware
Arthur T Knackerbracket has found the following story:
Hackers caused havoc at four restaurant chains in the U.S. over the summer after compromising their payment systems with malware that stole customers' payment card information.
In the last two days, McAlister's Deli, Moe's Southwest Grill, Schlotzsky's, and Hy-Vee disclosed publicly that their networks were infected with point-of-sale malware copying data from cards used in person at certain locations.
McAlister's, Moe's, and Schlotzsky's together have around 1,500 locations spread across the U.S. and are owned by the same parent company, Focus Brands.
Hy-Vee operates in the retail (fuel pumps, grocery, convenience, drug stores) business and it is employee-owned. It has over 245 locations in the U.S. that registered $10 billion in revenue last year.
Yesterday, the three Focus Brands subsidiaries provided details about a payment card security incident affecting corporate and franchised restaurants (1, 2, 3). The intrusion was ended on July 22 for all three chains although it had started at different dates.
At Moe's and McAlister's, the attackers scraped the information beginning April 29 while at Schlotzsky's the operation began earlier, on April 11.
"The unauthorized code was not present at all locations, and at most locations it was present for only a few weeks in July," reads the notification from the three chains.
[...] It appears that malware was used on PoS devices "at certain Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants."
Unlike the compromise at Focus Brands subsidiaries where the malware resided for about a month on the systems, the duration of the malicious activity at Hy-Vee was much longer.
For fuel pumps, it began on December 14, 2018, while for restaurants and drive-thru coffee shops the malware had been active since January 15, the update informs.
In six locations, though, there are suspicions that the start date for sweeping the card data was November 9, 2018. Furthermore, in one location access to the payment information may have lasted until August 2.
Read more of this story at SoylentNews.