KrebsOnSecurity revealed Nashville-based Shoney’s restaurant was hit by a data breach at several locations around the country. Additionally, the InterContinental Hotels Group disclosed malware compromised registers at more than 1,000 properties.
Best American Hospitality Corp., which manages and operates some of Shoney’s corporate-affiliated locations, investigated the restaurants with Kroll Cyber Security. A statement said, “Best American Hospitality Corp. commenced an investigation after receiving a report that some payment card numbers that were used at restaurant locations it manages and operates (some of Shoney’s corporate affiliated restaurants) had been stolen.”
Kroll’s findings showed malware, installed remotely on point-of-sale equipment at some of the restaurants, searched for track data (cardholder name, card number, expiration date, and internal verification code) read from the magnetic stripe of routed payment cards. Shoney’s has about 150 company-owned and franchised locations in 17 states.
Kroll determined that some of the restaurants subject to a data breach from December 27, 2016 until the malware was contained on March 6, 2017. In some instances, the malware identified data from the card’s magnetic stripe including the cardholder name and number; and in other instances, the data identified by malware did not appear to include the cardholder name.
KrebOnSecurity reported sources in the financial industry said they’ve received confidential alerts from the credit card associations about suspected breaches at dozens of those locations.
Many breaches involving restaurant and hospitality chains over the past few years link back to remotely hacked POS devices infected with card-stealing malware.
John Christly, Global CISO at the Fort Lauderdale, Fla.-based managed security services firm Netsurion, noted, “Attack and breach prevention requires a new approach today, and many products and service providers simply do not have the ability to stop cybercriminals before they do legitimate damage, as evidenced by the recent onslaught of restaurant chain data breaches.”
Christy added, many restaurant owners set up a firewall as a basic security measure and believe their networks sufficiently protected. In today’s cyberworld, firewalls can’t just be set up and run on their own. While a network firewall serves as a fundamental security component, it needs active monitoring, managing, and updating to be effective. “Even still, a managed firewall cannot defend every threat vector.”
In December 2016, KrebsOnSecurity revealed fraud experts at various financial institutions suggested a widespread card breach across some 5,000 hotels worldwide owned by IHG. In February, IHG acknowledged a breach but said it appeared to involve only a dozen properties. Now, IHG released data showing cash registers at more than 1,000 of its properties compromised with malware designed to siphon customer debit and credit card data.
Headquartered in Denham, U.K., IHG operates more than 5,000 hotels across nearly 100 countries. The company’s dozen brands include Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels, and Crowne Plaza. According to a statement released by IHG, the investigation “identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks at certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016.”
Krebs said IHG didn’t provide a total of affected properties but did publish a state-by-state lookup tool with more than 1,000 locations nationwide listed.
Card-stealing cyberthieves have broken into some of the largest hospitality chains over the past few years including Trump Hotels, Hilton, Mandarin Oriental, White Lodging, Starwood and Hyatt.
Last August, NAFCU President and CEO Dan Berger issued a statement regarding the data breaches: “These hotel data breaches, many of which are repeat offenses, as well as the latest data breach to Oracle’s point-of-sale systems, affirm the urgency with which Congress needs to pass strong national data security standards for retailers, such as the Data Security Act of 2015 (H.R. 2205/S.961).”