Breach Notification , Data Loss Prevention (DLP) , Governance & Risk Management

166 Applebee's Restaurants Hit With Payment Card Malware

Payment Card Data Stolen by Malware-Wielding Attackers, Franchisee Warns
166 Applebee's Restaurants Hit With Payment Card Malware
Photo: RMH Franchise Holdings

Anyone who dined out at Applebee's restaurants in 15 states - ranging from Alabama and Arizona to Texas and Wyoming - may have gotten a free side of payment card theft with their meal.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

On Friday, RMH Franchise Holdings warned that of the 167 Applebee's restaurants it owns and operates, 166 of them suffered a data breach in which point-of-sale systems were infected with malware designed to capture payment cards for anyone who dined at the restaurants.

Infection periods vary by location, but the earliest infections began on Nov. 23, 2017, and none appear to have lasted longer than Jan. 2, the company says. It has not published an estimate of the number of payment cards that hackers compromised.

RMH says it's the second largest Applebee's franchisee as well as "one of the fastest growing casual dining restaurant companies in America."

The company discovered the breach on Feb. 13 and "promptly took steps to ensure that it had been contained," RMH says in a statement. "In addition to engaging third-party cybersecurity experts to assist with our investigation, RMH also notified law enforcement about the incident and will continue to cooperate in their investigation. Moving forward, RMH is continuing to closely monitor its systems and review its security measures to help prevent something like this from happening again."

Customers' names, credit or debit card numbers, card expiration dates and card verification codes may have been compromised. "Payments made online or using self-pay tabletop devices were not affected by this incident," the company says.

The company says it's set up a help line that customers can call to receive more information about the breach.

Applebee's Restaurants: 166 Infected

RMH's data breach notification includes a list of all affected locations by name and lists the infection period. Here's a breakdown of how many RMH-owned Applebee's were affected in each state:

  • Alabama: 2
  • Arizona: 23
  • Florida: 4
  • Illinois: 14
  • Indiana: 21
  • Kansas: 3
  • Kentucky: 14
  • Missouri: 2
  • Mississippi: 1
  • Nebraska: 11
  • Ohio: 44
  • Oklahoma: 6
  • Pennsylvania: 1
  • Texas: 15
  • Wyoming: 5

RMH says the malware infections have been remediated and that it's safe again to use a payment card at its Applebee's restaurants.

The company has recommended that anyone who dined in one of the Applebee's restaurants it owns and operates keep a close eye on their bank and credit card statements. "If they see an unauthorized charge, guests should immediately notify the bank that issued the card. Payment card network rules generally state that cardholders are not responsible for such charges."

Identity theft experts say that U.S. credit card issuers are required to reimburse the full amount of any fraudulent charges, so long as customers report the charge in a timely manner. "Credit cards are better protected by federal law as to the amount of money that you are responsible for if lost or stolen, and most companies now extend a zero liability policy to customers," according to the Identity Theft Resource Center, a nonprofit U.S. organization that assists data breach victims.

ITRC recommends that at least when traveling, U.S. consumers never use a debit card to pay for anything because any fraud will result in funds immediately disappearing from an account. "It is more difficult and time consuming to resolve fraudulent purchases made with debit cards," ITRC says.

The company issued its breach notification on a Friday, which is when companies try to bury bad news (see Jason's Deli: Hackers Dine Out on 2 Million Payment Cards).

List of 166 Breached Locations

Source: RMH Franchise Holdings

RMH declined to comment on how the breach was discovered, how many cards appear to have been affected, how attackers broke in, what specific steps Applebee's has taken to secure its systems to prevent a recurrence, and whether RMH's Applebee's restaurants use chip-and-PIN card security and if that helped mitigate the breach.

Yet Another Restaurant Chain Breach

RMH's breach means Applebee's joins the ever-growing roster of restaurants that have suffered POS malware infections leading to payment card data being stolen. The spate of restaurant-related breaches seems to have been nonstop since mid-2014, when restaurant chain P.F. Chang's China Bistro warned that a POS malware attack had compromised dozens of its locations.

Since then, numerous other restaurants, including Arby's, Chipotle, Jason's Deli and Wendy's, among many others, have fallen victim to POS malware infections (see 'Where's the Breach?').

The payment card breach epidemic isn't just centered on U.S. restaurants; it has also hit retailers and hotels (see Forever 21 Suffered 7-Month POS Malware Attack).

The problem is compounded by the ease of procuring card-scraping malware, designed to infect POS systems, from underground cybercrime forums.

Many hospitality and retail sector organizations also have poor information security practices, according to Verizon's 2017 Data Breach Investigations Report.

Some information security experts recommend that any organization that uses POS terminals should assume they have been breached unless it can demonstrably and repeatedly prove otherwise. But many organizations don't appear to take the threat seriously until after their systems have been breached.

Attackers, however, are not just gunning for POS systems installed in restaurants and other locations, but also POS system providers, which could enable hackers to infect many more systems and harvest many more payment card details at once.

In 2016, Oracle issued an alert about its MICROS point-of-sale hardware and software, used across 330,000 customer sites in 180 countries, warning that it had "detected and addressed malicious code in certain legacy MICROS systems." And many more POS vendors have also been targeted, security experts say.

Start With the Basics

Information security experts have long recommended that corporate IT administrators always ensure they have basic security defenses in place, including segmenting networks, restricting admin-level rights and never allowing any device with a default password to connect to corporate networks (see Solve Old Security Problems First).

But cybersecurity firm Mandiant, part of FireEye, in a report issued last year, warned that too many organizations still fail to put these basic, well-proven security defenses in place.

View of a "flat" retail network that is not segmented. (Source: Mandiant)

The lack of segmentation in particular leaves organizations that handle payment card information at heightened risk of being breached. "Unfortunately, most networks, including those with payment card information, are not segmented," Mandiant says. "The compromise of a single retail location often leads to the compromise of the larger PCI environment, making customer-facing employees in these retail environments the low-hanging fruit sought by attackers."

Editor's note: An earlier version of this story stated that all 167 Applebee's operated by RMH Franchise Holdings were affected by the breach, but the correct figure is 166 restaurants, as one location - in Crestwood, Illinois - was not affected.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.