Over 160 Applebee’s restaurants in the US may have been breached, after the franchise company overseeing them admitted it found malware on Point of Sale (POS) systems.
RMH Franchise Holdings discovered the incident on February 13 and brought in third-party forensic experts to help work out what happened, as well as informing police.
“Based on the experts’ investigation, RMH believes that unauthorized software placed on the point-of-sale system at certain RMH-owned and -operated Applebee’s restaurants was designed to capture payment card information and may have affected a limited number of purchases made at those locations,” it explained.
“Certain guests’ names, credit or debit card numbers, expiration dates and card verification codes processed during limited time periods could have been affected. The exact dates vary by location. Payments made online or using self-pay tabletop devices were not affected by this incident.”
The incident seems to have hit most of RMH Applebee restaurants in the US, although the firm was at pains to point out that any restaurants not owned by the firm remain unaffected.
Those hit include outlets in Alabama, Arizona, Texas, Florida, Illinois, Indiana, Kansas, Kentucky, Ohio, Mississippi, Missouri, Nebraska, Oklohoma, Pennsylvania and Wyoming.
In the majority of cases, malware was allowed to sit on the POS systems for around a month, between December 6, 2017 and January 2, 2018. In a few locations it was active from November 23 or December 5, 2017.
Customers have been urged to closely monitor their card statements for any unusual activity.
This is far from the first POS malware incident of its kind. Other US restaurant chains including Arby’s, Chipotle, Shoney’s and Wendy’s have all suffered similar attacks.
It’s one of the reasons why experts argue more organizations should migrate over to support EMV cards. Offering EMV makes businesses a smaller target for hackers as they can’t use the stolen data to clone cards, unlike the old magstripe cards.