Point-of-sale terminals at several Applebee restaurants recently suffered a data breach involving customers' payment card details, an Applebee franchisee has confirmed.
The data breach at Applebee's point-of-sale terminals is believed to have taken place between 6th December and 2nd January and may have compromised customers' names and credit card details.
RMH Franchise Holdings, which operates over 150 Applebee restaurants at various locations, announced the data breach to customers, stating that the breach may have compromised 'certain guests’ names, credit or debit card numbers, expiration dates and card verification codes processed during limited time periods'. The breach took place only at point-of-sale terminals and online payments were not impacted.
Applebee's PoS systems not affected
The franchisee added that its point-of-sale systems are isolated from Applebee’s network, and the breach only impacted terminals at Applebee restaurants operated by it. However, RMH did not state the names of affected restaurants or the number of point-of-sale terminals that had been compromised.
"After discovering the incident on February 13, 2018, RMH promptly took steps to ensure that it had been contained. In addition to engaging third-party cyber security experts to assist with our investigation, RMH also notified law enforcement about the incident and will continue to cooperate in their investigation. Moving forward, RMH is continuing to closely monitor its systems and review its security measures to help prevent something like this from happening again.
"RMH is pleased to report that the incident has been contained and guests may use their cards with confidence at the RMH Applebee’s locations that were affected by this incident," it added.
Commenting on the breach of RMH's point-of-sale terminals, Lisa Baergen, director at NuData Security Inc., said: “Cybercriminals are being increasingly successful at finding weaknesses in Point-of-Sale (PoS) systems. In this case, 160 restaurants were hit by bad actors trying to steal credit card information. Restaurants and other hospitality industries must continuously monitor PoS devices and distribute patches regularly.
"On the other side, to combat online fraudulent transactions after the credit card information has been stolen, businesses offering services in the card-not-present (CNP) channel need to identify customers using multi-layered technologies that include passive biometrics. This technology monitors the user’s inherent behaviour, making it impossible for hackers to replicate or steal.
"Leveraging a fully integrated multi-layered security approach that includes passive biometrics is an effective way to make stolen information valueless to the hacker and help stop fraud," she added.
PoS terminals still at risk from hackers
Point-of-sale systems operated by various retailers across the UK and in the rest of Europe have been found lacking in the past as far as encryption of data and security protocols are concerned.
Last year, it came to light that hackers had breached PoS servers used by as many as 12 hotels run by the InterContinental Hotels Group (IHG) in North America and the Caribbean between August 2016 and December 2016 and stole hundreds of credit card details.
According to the hotel group, “the malware searched for track data (cardholder name, card number, expiration date and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected server.”
In September last year, Whole Foods Market announced that payment card information of its customers were subjected to unauthorised access at certain taprooms and full table-service restaurants. Even though the breach did not impact every Whole Foods Market store, it did highlight how hackers are looking for every little opportunity to gain access to financial information belonging to citizens.