Cheddar’s Restaurants Bitten By Credit-Card Breach

Fast-casual stalwart Cheddar’s Scratch Kitchen has become the latest restaurant to suffer a payment-card breach.

Cheddar’s, known for its reasonably priced country-fried chicken, pot pies, ribs and other comfort food, has hundreds of locations across the Midwest and the South. It said that it discovered the breach last Thursday; the breach itself however took place between November 3, 2017 and January 2.

“An unauthorized person or persons gained access to the Cheddar’s Scratch Kitchen network and were able to access and potentially obtain payment-card information used to make purchases in certain Cheddar’s Scratch Kitchen restaurants,” the company said in a notice on its website.

Restaurants in 23 states (Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia and Wisconsin) were impacted, it said – indicating the incident arose via a corporate network breach and malware implementation rather than the use of physical card-skimmers.

“The unauthorized access appears to have occurred on a network that was permanently disabled and replaced by April 10, 2018,” the company said. “It’s important to note that there are no indications of unauthorized access to the current Cheddar’s Scratch Kitchen network and systems.”

The restaurant chain didn’t specify what information was exposed, only that it involved “payment-card numbers.” It also hasn’t released data on how many consumers are affected; although given the number of locations and the length of the compromise, it’s likely to be more than a handful.

As with all card breaches, the implications extend beyond the initial victimization.

“Due to cybercriminals’ sophistication and how creatively they use the stolen data, this is not just a problem for Cheddar’s and their customers, but also for the payment-card providers and any other organizations with whom the victims hold accounts,” said Ryan Wilk, vice president of Delivery – Customer Success at NuData Security, via email. “Once personal and financial information such as this is accessible to criminals, it feeds the pipeline of future cybercrime for years to come.”

Cheddar’s is following a well-worn path. Several restaurants have fallen victim to breaches this year, including Applebee’s, Chili’s and Panera Bread.

Photo courtesy of Cheddar’s.