Malware Found on Payment System Used by On The Border Restaurants

Tex-Mex restaurant chain On The Border has informed customers this week that their payment card information may have been stolen by hackers.

The breach was discovered on November 14 and at this point in the investigation the company believes the incident impacts restaurants in 27 states, including Arizona, Arkansas, Colorado, Connecticut, Florida, Georgia, Illinois, Indiana, Iowa, Kansas, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, New Jersey, New York, North Carolina, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas and Virginia.

The evidence uncovered so far suggests that the malware may have stolen cards processed at affected restaurants between April 10, 2019, and August 10, 2019.

There are over 150 On The Border restaurants in the United States and not all of them appear to be impacted, but the company has yet to provide a list of locations that were hit. Customers have been told that the incident does not affect its franchised locations or orders made through food delivery apps such as Uber Eats, DoorDash and Grubhub.

According to the company, the malware may have stolen information such as cardholder name, card number, expiration date, and card verification code. Dates of birth, social security numbers or guest identification numbers are not collected by the restaurant.

“We have notified the payment card networks and law enforcement of this incident and we are cooperating with each of their investigations,” On The Border said in a statement.

Argonne Capital Group, the private investment firm that owns On The Border, also owns the fast food restaurant chain Krystal, which also disclosed a payment card breach recently.

Krystal revealed in late October that hundreds of its restaurants were affected by a security incident that involved payment processing systems. The company said hackers may have obtained information from cards used between July and September 2019.

It’s unclear if there is any link between the breaches suffered by On The Border and Krystal. SecurityWeek has reached out to Argonne to see if the company can confirm or deny a possible link.

Several major restaurant companies informed customers of payment card breaches in the past year, including Church’s Chicken, Catch, Focus Brands (Moe’s, McAlister’s and Schlotzsky’s), Checkers Drive-In Restaurants, Earl Enterprises, Huddle House, Chili’s, Applebee’s, and Cheddar’s Scratch Kitchen.

Security blogger Brian Krebs reported on Tuesday that someone is offering to sell four million stolen credit and debit cards on a major underground cybercrime website called Joker’s Stash, and the cards appear to have been obtained as a result of the Focus Brands and Krystal breaches.