Shoney's restaurants hit with PoS malware, customers' card details compromised for months

Nashville-based Shoney's, a 70-year-old American restaurant chain that operates mostly in the South and mid-Atlantic, has been hit with a major payment card breach compromising customers' card details for months. Security blog Krebs on Security first reported the hack citing multiple finance industry sources who identified pattern of fraud on customer cards.

The sources said they received confidential alerts from various credit-card associations about suspected breaches at multiple Shoney's locations.

Best American Hospitality Corp (BAHC), which manages and operates some of Shoney's locations, confirmed the breach in a statement saying 37 restaurants across the South were affected with most located in Tennessee and a few in South Carolina, Louisiana, Georgia, Mississippi, Virginia, Florida, Missouri, Alabama and Arkansas.

The affected restaurants were infected with point-of-sale malware in December last year which was active between 27 December and 6 March, 2017 when it was contained.

The company also published a list of the affected restaurants as well.

BAHC said it hired security firm Kroll Cyber Security to investigate the issue and examine its payment card processing system after receiving a report that some payment card numbers used at its restaurants were stolen.

"The malware searched for track data (cardholder name, card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected computer," BAHC said in a statement.

"In some instances, the malware appears to have identified data from the card's magnetic stripe that included the cardholder name and number and in other instances the card data identified by the malware did not appear to include the cardholder name.

BAHC noted that it was possible that cardholder names were not identified in every instance. The company is currently working with payment card networks and notifying banks to closely monitor any affected cards. Customers who may have been affected by the breach are advised to monitor their card statements for any suspect, unauthorized charges and report them to the bank.

The company did not specify how many people may have been affected by the breach. Shoney's restaurant chain includes around 150 company-owned and franchised restaurants operating across 17 US states.

Shoney's is the latest in a slew of restaurant and hospitality chains hit by a major data breach.

McDonald's Canada confirmed late last month that its career website, compromising the personal data of nearly 95,000 restaurant job applicants, was hacked. In February, fast food chain Arby's said hackers targeted the payment card systems many of its restaurants across the US. Last year, burger chain Wendy's also disclosed that hundreds of its restaurants were affected in a malware-driven payment card breach.