Huddle House has become the latest US restaurant chain to suffer a Point of Sale (POS)-related data breach.
The casual dining and fast food operation revealed on Friday that a malware intrusion had affected an unspecified number of its “corporate and franchised locations.
“Criminals compromised a third-party POS vendor’s data system and utilized the vendor’s assistance tools to gain remote access — and the ability to deploy malware — to some Huddle House corporate and franchisee POS systems,” it said in a notice.
“Huddle House was notified by a law enforcement agency and its credit card processor that some of its corporate and franchise locations may have been victims of a malicious cyber-attack. Huddle House retained a leading IT investigation and security firm in less than 24 hours from notification, to deploy specialized software to prevent further attacks.”
The firm is still investigating and so unable to provide a definitive list of affected locations, but said that anyone who used a payment card at one of its restaurants between “August 1, 2017 and present” may be at risk.
The malware in question appears to have been classic POS-scraping code designed to harvest magnetic stripe data including cardholder name, credit/debit card number, expiration date, cardholder verification value and service code.
These attacks are less common today thanks to the growing adoption of the EMV standard in the US, which encrypts cardholder data thanks to a built-in chip on each card. This makes it virtually impossible to clone cards using stolen information.
However, hackers still try their luck from time-to-time as EMV adoption is patchy and there’s also a chance that it hasn’t been properly implemented by the store/restaurant.
Huddle House urged customers to check their card statements and contact their bank immediately if they spot anything suspicious.