Malware Found on PoS Systems at Checkers and Rally’s Restaurants

Checkers Drive-In Restaurants, Inc. on Wednesday informed customers that malware had been found on point-of-sale (PoS) systems at some of its Checkers and Rally’s restaurants.

Checkers Drive-In Restaurants operates roughly 800 Checkers and Rally’s restaurants across nearly 30 states. The data breach impacted 102 locations in 20 states, which represents roughly 15 percent of the company’s restaurants.

The list of impacted states includes Alabama, Florida, California, Delaware, Florida, Georgia, Illinois, Indiana, Kentucky, Louisiana, Michigan, Nevada, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Tennessee, West Virginia and Virginia.

The company said it launched an investigation after becoming aware of a “data security issue involving malware.” The investigation revealed that cybercriminals had planted malware designed to steal data stored on the magnetic stripe of payment cards. The compromised information includes cardholder name, payment card number, expiration date and card verification code.

Checkers Drive-In Restaurants said there was no evidence that other type of data was stolen and pointed out that “not all guests who visited the listed restaurants during the relevant time periods are affected by this issue.”

The timeframe when the malware was present on PoS systems varies for each of the impacted restaurants, but in some cases the malware was apparently planted as early as 2015 and 2016.

The company has contracted a third-party cybersecurity firm to help it contain the incident and remove the malware from its systems. Law enforcement has also been notified.

“When looking at the full details provided by Checkers and Rally, some of the venues that were infected with the malware were targeted as far back as 2015. This means the attackers had years to make use of the stolen financial data and cover their tracks,” Shlomie Liberow, technical program manager at HackerOne, told SecurityWeek. 

“This breach is an example of one that really reminds us that any connected device is an attack surface and it’s not just online stores that face cybercriminal activity – with cybercriminal activity infringing even closer on the ‘real world’, we can see this as almost the modern equivalent of robbing the till, except in this example, it’s very much Checkers’ customers who are going to be financially disadvantaged here.

“While it is yet to be confirmed if money was stolen from affected customers, unfortunately, it’s now going to be up to those individuals who think they did pay for fast food at the affected outlets to check their bank statements and credit reports to alert their providers to any fraudulent activity,” Liberow added.

Several major restaurant companies reported suffering payment card breaches in the past year, including Earl Enterprises, Huddle House, Chili’s, Applebee’s, and Cheddar’s Scratch Kitchen.

Related: Breach at PoS Firm Hits Hundreds of U.S. Restaurants, Hotels

Related: Payment Card Breach Hits Over 260 Caribou Coffee Stores