The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Point-of-Sale Breach Affects 160+ Applebee's Locations



A breach at one of Applebee's largest franchisees, RMH Franchise Holdings, affected over 160 restaurants late last year.

Diners who visited an Applebee's Grill and Bar in December would be well served to pay attention to their credit and/or debit card statements going forward.

RMH Franchise Holdings, the second-largest franchisee in the Applebee's system, announced late Friday that more than 160 stores across 15 states were affected by a "data incident" late last year stemming from a compromise of its point-of-sale systems.

According to RMH's announcement, released late Friday, names, credit or debit card numbers, expiration dates and card verification codes may have been exposed.

Data breach disclosures are typically thin on details so it’s not exactly surprising that RMH doesn’t offer much in the way of what happened. The franchisee claims it discovered the incident on February 13 but doesn’t specify how. The company wouldn’t confirm that malware had made its way onto its point-of-sale systems. Instead RMH said that it found “unauthorized software” placed on POS systems at select restaurants “designed to capture payment card information.”

While RMH claims the dates of compromise vary by location the bulk of restaurants were affected from December 6, 2017 to January 2, 2018.

Judging from the disclosure it sounds like just about every location RMH operates was hit. The company's site says RMH and its subsidiary, RMH Franchise Corp., run more than 167 restaurants across the country.

According to the disclosure roughly 167 restaurants in 15 states, including Alabama, Arizona, Florida, Illinois, Indiana, Kansas, Kentucky, Missouri, Mississippi, Nebraska, Ohio, Oklahoma, Pennsylvania, Texas, and Wyoming, were all affected.

Diners who elected to pay via self-pay tabletop devices at the affected locations were not affected, according to RMH.

The introduction of EMV or chip cards several years back has helped reduce counterfeit card fraud but can’t outright prevent data breaches.

Point-of-sale malware remains a nuisance for restaurants and retail shops alike. Last year saw breaches of payment systems at fast food chains like Sonic Drive-In, Arby's, and Chipotle, and stores like Forever 21, Whole Foods, Kmart, and Brooks Brothers.

Some chains are more forthcoming when it comes to divulging details than others; Forever 21 for instance admitted in November that encryption wasn't turned on for some POS devices at its stores from March to October last year. Dairy Queen actually named the strain of POS malware that compromised card data at 396 of its stores in 2014. The malware, Backoff, was the subject of a United States Computer Emergency Readiness Team (US-CERT) warning earlier that summer.

Hundreds of Tim Hortons locations in Canada were affected by what appeared to be a POS malware infection last week. The Great White North Franchisee Association (GWNFA) - a group that represents Tim Hortons franchisees - threatened to sue Tim Hortons’ holding company, Restaurant Brands International (RBI), for loss of revenue following the downtime.

It's unclear exactly what led to most of these breaches but vulnerabilities affecting POS platforms aren't uncommon.

Researchers warned earlier this year of a potentially dangerous vulnerability in Oracle's MICROS point-of-sale systems that could let an attacker read and retrieve information without authentication. If left unpatched the high-risk bug could put up to 300,000 systems at risk. ERPScan, the firm that discovered the vulnerability, said at the time it appeared there were 170 systems online that were vulnerable to the bug.

Applebee's image via Mike Mozart's Flickr photostream, Creative Commons

Chris Brook

WHITEPAPERS

Data Protection Vendor Evaluation Toolkit

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.