Chili's Fires Up Incident Response, Post-Breach

After suffering a data incident in which the payment card information of Chili’s Grill & Bar customers was compromised, Brinker International, the restaurant chain's owner, has issued an apology, letting guests know that it is deeply sorry. 

Chili's Grill & Bar is the flagship brand of Dallas-based Brinker International, Inc. On 11 May, Brinker learned that an attacker may have gained unauthorized access to payment card data at some Chili’s restaurants. 

It remains unclear which of the 1,600 locations were affected by the data breach. The company immediately activated its incident response plan, which included alerting its guests to the data incident. As more information becomes available, it will update customers via its website. 

“Currently, we believe the data incident was limited to between March [and] April 2018; however, we continue to assess the scope of the incident,” Brinker International wrote in a news release

Brinker has contacted law enforcement and enlisted the help of third-party forensic experts to conduct an investigation into exactly what happened. 

“While the investigation is still ongoing, we believe that malware was used to gather payment card information, including credit or debit card numbers and cardholder names, from our payment-related systems for in-restaurant purchases at certain Chili's restaurants,” a 12 May press release stated.

Because hackers will follow the path of least resistance, any weakness in this ecosystem can result in exposure of sensitive information. Bryan Gale, chief product officer at CyberGRX said, "It’s important to understand the level of risk exposure introduced by all third parties, but that becomes even more critical for a tier-one partner like a payment processor or point-of-sale solution provider.”

Though payment card information may have been compromised, Brinker noted that Chili’s does not collect personally identifiable information (PII) of its customers. 

It’s still too easy to gain access to PoS systems in restaurants, according to Chris Roberts, chief security architect, Acalvio. “High-traffic areas and hidden behind-the-scene areas are riddled with the very systems that retain our information, and many restaurants still leave them open, have defaults in place, or, worse, still have the login information sitting close by.” 

Customers do not need to close their debit or credit card accounts, according to Brinker, but the company does advise that customers monitor their credit card and bank statements for accuracy.

What’s Hot on Infosecurity Magazine?