Nashville-based, privately-held restaurant chain Shoney’s has become the latest restaurant group hit by a credit card breach.
Shoney’s, the diner-like chain of restaurants that specializes in burgers, fries and all things Americana (formerly associated with the Bob’s Big Boy brand as well), has about 150 locations in 17 states, mostly in the South and mid-Atlantic.
After receiving a report that it may have been breached, Best American Hospitality Corp., which owns some of the franchise locations, commenced an investigation with Kroll Cyber Security to examine the payment card processing systems for all restaurants on its network. It indeed found point-of-sale malware that had been remotely installed, which was active between December 27, 2016 and March 6, 2017, when it was contained.
“The malware searched for track data (cardholder name, card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected computer,” the company explained in a statement, which also includes a list of affected locations. “In some instances, the malware appears to have identified data from the card’s magnetic stripe that included the cardholder name and number and in other instances the card data identified by the malware did not appear to include the cardholder name. It is possible that not every cardholder name was identified.”
Brian Krebs first uncovered the compromise after sources in the financial industry told him that they’ve received confidential alerts from various credit-card associations “about suspected breaches at dozens of those locations.”
John Christly, global CISO, Netsurion, suggested that it’s time that restaurants undertake an overhaul of their security approaches, to include file integrity monitoring (which tells you when files have changed that weren’t supposed to change), unified threat management appliances, managed endpoint threat detection and response or security information and event management (SIEM). He also noted that PCI DSS compliance and 4G failover to cellular are essential components.
“Attack and breach prevention requires a new approach today, and many products and service providers simply do not have the ability to stop cyber-criminals before they do legitimate damage, as evidenced by the recent onslaught of restaurant chain data breaches,” he said, via email. “Many restaurant owners set up a firewall as a basic security measure and believe their networks will be sufficiently protected. In today’s cyber-world, firewalls can’t just be set up and run on their own. While a network firewall is a fundamental security component, it must be actively monitored, managed, and updated to be effective. Even still, a managed firewall cannot defend every threat vector. Modern, effective security goes beyond having a firewall and anti-virus.”