Dining, hospitality, entertainment and gaming corporation, Landry Inc, has been notifying customers of an incident that the group recently identified and addressed involving payment cards.
Investigations found that cards had been mistakenly swiped by waitstaff on devices used to enter kitchen and bar orders – devices which are different from point-of-sale terminals used for payment processing.
Landry’s recently detected unauthorized access to the network that supports its payment processing systems for restaurants and food and beverage outlets. Officials of the company say an investigation was immediately in collaboration with a leading cybersecurity firm.
Although the investigation identified the operation of malware designed to access payment card data from cards used in person on systems at its restaurants and food and beverage outlets, the end-to-end encryption technology on point-of-sale terminals, which makes card data unreadable, was working as designed and prevented the malware from accessing payment card data when cards were used on these encryption devices.
Besides the encryption devices used to process payment cards, Landry’s restaurants and food and beverage outlets also have order-entry systems with a card reader attached for waitstaff to enter kitchen and bar orders and to swipe Landry’s Select Club reward cards.
It appears waitstaff may have mistakenly swiped payment cards on the order-entry systems. The payment cards potentially involved in this incident are the cards mistakenly swiped on the order-entry systems. Landry’s Select Club rewards cards were not involved, the company says.
The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card after it was swiped on the order-entry systems.
In some instances, the malware only identified the part of the magnetic stripe that contained payment card information without the cardholder name.
The general timeframe when data from cards mistakenly swiped on the order-entry systems may have been accessed is March 13, 2019 to October 17, 2019. At a small number of locations, access may have occurred as early as January 18, 2019. A full list of Landry’s owned restaurants and food and beverage outlets involved is available at https://www.landrysinc.com/CreditNotice/.
Customers have been advised to closely monitor their payment card statements for any unauthorized activity, and to immediately report any unauthorized charges to the financial institution that issued the card because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner.
During the investigation, Landry’s says it removed the malware and implemented enhanced security measures, while additional training to waitstaff will now be provided. In addition, Landry’s continue to support law enforcement’s investigation.
The post #Privacy: US payment card company announces security incident appeared first on PrivSec Report.