It hasn’t been a while that we heard of a wave of point-of-sale malware attacks across various US stores. However now, a US chain of restaurant and property Landry has disclosed a POS malware attack that lasted for months. During the entire period, the attackers could steal users’ credit card data.
Landry Suffered POS Malware Attack
Reportedly, the US-based venture Landry disclosed a POS malware attack affecting its systems for several months. As elaborated in a security notice, the firm recently detected a security breach involving malware at its order-entry systems. They found that the malware pilfered credit card information from swiped cards.
Landry’s recently detected unauthorized access to the network that supports our payment processing systems for restaurants and food and beverage outlets.
They explained that Landry employs robust end-to-end encryption technology at its point-of-sale terminals. However, the breach happened due to erroneous swiping of cards by its staff on the wrong system.
Our restaurants and food and beverage outlets also have order-entry systems with a card reader attached for waitstaff to enter kitchen and bar orders and to swipe Landry’s Select Club reward cards. In rare circumstances, it appears waitstaff may have mistakenly swiped payment cards on the order-entry systems. The payment cards potentially involved in this incident are the cards mistakenly swiped on the order-entry systems.
Though, the incident didn’t affect the Landry’s Select Club cards (possibly due to the malware design focused at credit cards).
The incident lasted on the restaurant systems for about seven months, that is, March 13, 2019, to October 17, 2019. However, at a small number of locations, it lasted for nine months as it began since January 18, 2019.
Relatively Smaller Impact
Upon noticing the attack, Landry quickly started investigations, involved a cybersecurity firm, and contained the attack. According to the firm, their E2E encryption prevented the malware from pilfering explicit details from the cards swiped on POS terminals.
The end-to-end encryption technology on point-of-sale terminals, which makes card data unreadable, was working as designed and prevented the malware from accessing payment card data when cards were used on these encryption devices.
The relatively smaller number of cards swiped on the wrong machines did suffer the breach. In such cases, the information picked up by the malware includes card details (card holder’s names, card number, expiration date, and internal verification code). Whereas, in some other cases, the malware could only read the magnetic stripe and not the cardholder name.
While the attack is over, the restaurant urges all users to monitor their payment cards for any suspicious activity.
Let us know your thoughts in the comments.