Chili’s Doesn’t Leave Data Breach on the Back Burner

Southwestern/Texas-themed restaurant chain Chili’s has become the latest victim of a data breach involving the heist of point-of-sale information from payment cards — and the alacrity with which it has admitted the incident is notable.

Hackers had unauthorized access to payment-card data between March and April of this year, although Chili’s said in a statement on its website that it’s still evaluating the full scope of the incident. It has not said how many restaurants, how many customer cards or which locations were impacted.

The chain was snappy about notification, issuing a statement on Friday May 11, the same day that it learned about the compromise. This is bad news for bad actors, as it gives them less time to exploit stolen debit and credit cards before consumers replace their plastic.

“This organization, unlike numerous others, actually stood up three days after noticing the breach and said something,” said Chris Roberts, chief security architect at Acalvio, in an email to Threatpost. “They didn’t hide behind their lawyers, etc. The good thing is that it sounds that it’s limited in scope. Unfortunately, those are famous last words.”

Although details are as of yet scant, the company did say that malware was the attack vector. This could have been installed directly on card-readers by someone with physical access to them, or it could have been done by phishing user credentials that gave hackers network access; from there they could pivot and move throughout the environment, eventually pushing out card-harvesting malware to the endpoints or scraping a database of transactions. Supply-chain partners could be a weak link in the second scenario, as seen with the infamous Target breach of 2014, and many subsequent incidents thereafter, including recent attacks on Delta and Sears.

“The statement that malware was involved leads me to believe that the PoS operating systems and applications were compromised,” said Bryan Gale, chief product officer at CyberGRX, via email. “There is a growing awareness of the threat to the vendor supply chain. Although Chili’s itself may implement best-in-class security, they must also ensure that their vendors do the same.”

The fajita purveyor said that it “immediately” activated a response plan, has notified law enforcement and is working with a “third party” to gain a better picture of what has happened.

This is just the latest in a line of attacks on restaurant PoS systems, including Applebee’s, Chipotle, Sonic, and Wendy’s. Patching remains an issue in the vertical, as does physical security: training staff to better identify typical fraudulent activity, safeguarding PoS equipment and surrounding areas, not leaving the passwords on sticky notes by the machines and even installing security cameras can all help with the problem.

Roberts added, “Frankly, it’s still too easy to gain access to PoS systems in restaurants. High-traffic areas and hidden behind-the-scenes areas are riddled with the very systems that retain our information and many restaurants still leave them open, have defaults in place, or worse, still have the login information sitting close by. Access to a PoS and their ability to repel malware is still not where it needs to be. It’s too easy to tamper with them, root them or attack them in many other ways. Patching, defaults and other issues are still rife.”