TX: Landry’s notifies customers of payment card data breach
Their press release:
Landry’s, Inc. (“Landry’s”) takes the security of payment card data very seriously. Years ago (beginning in 2016), Landry’s installed a payment processing solution that uses end-to-end encryption technology at all Landry’s owned locations.
Landry’s is notifying customers of an incident that it recently identified and addressed involving payment cards that, in rare circumstances, appear to have been mistakenly swiped by waitstaff on devices used to enter kitchen and bar orders, which are different devices than the point-of-sale terminals used for payment processing. This notice explains the incident, measures Landry’s has taken, and some steps customers can take in response.
Landry’s recently detected unauthorized access to the network that supports its payment processing systems for restaurants and food and beverage outlets. Landry’s immediately launched an investigation, and a leading cybersecurity firm was engaged to assist. Although the investigation identified the operation of malware designed to access payment card data from cards used in person on systems at its restaurants and food and beverage outlets, the end-to-end encryption technology on point-of-sale terminals, which makes card data unreadable, was working as designed and prevented the malware from accessing payment card data when cards were used on these encryption devices. Besides the encryption devices used to process payment cards, Landry’s restaurants and food and beverage outlets also have order-entry systems with a card reader attached for waitstaff to enter kitchen and bar orders and to swipe Landry’s Select Club reward cards. In rare circumstances, it appears waitstaff may have mistakenly swiped payment cards on the order-entry systems. The payment cards potentially involved in this incident are the cards mistakenly swiped on the order-entry systems. Landry’s Select Club rewards cards were not involved.
The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card after it was swiped on the order-entry systems. In some instances, the malware only identified the part of the magnetic stripe that contained payment card information without the cardholder name. The general timeframe when data from cards mistakenly swiped on the order-entry systems may have been accessed is March 13, 2019 to October 17, 2019. At a small number of locations, access may have occurred as early as January 18, 2019. A full list of Landry’s owned restaurants and food and beverage outlets involved is available at https://www.landrysinc.com/CreditNotice/.
It is always advisable for customers to closely monitor their payment card statements for any unauthorized activity. Customers should immediately report any unauthorized charges to the financial institution that issued the card because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of the payment card.
During the investigation, Landry’s removed the malware and implemented enhanced security measures, and Landry’s is providing additional training to waitstaff. In addition, Landry’s continue to support law enforcement’s investigation.
For more information regarding this incident, customers may visit https://www.landrysinc.com/CreditNotice/.