Restaurant chains Moe’s Southwest Grill, McAlister’s Deli, and Schlotzsky’s were hit earlier this year by a payment card breach that has impacted hundreds of locations.
It appears that cybercriminals managed to steal information associated with payment cards used at the affected restaurants by installing a piece of malware designed to search for and harvest payment card data as it passed through a restaurant’s server.
Moe’s, McAlister’s and Schlotzsky’s are owned by Focus Brands, an affiliate of Atlanta-based private equity firm Roark Capital Group. It’s likely that the restaurant chains share some infrastructure, which enabled the attackers to target all of them roughly at the same time.
The restaurants first notified their customers of a data breach on August 20, shortly after discovering the intrusion. The investigation launched into this incident is nearly completed and they have determined that each restaurant was hit at different times between April and July. Moe’s and McAlister’s were hit between April 29 and July 22, while Schlotzsky’s determined that the malware was present between April 11 and July 22.
Moe’s, McAlister’s and Schlotzsky’s have a total of approximately 1,500 locations across the United States. Their customers can see the list of affected restaurants based on postal code or state and city. Hundreds of locations appear to have been impacted, but the companies say the cybercriminals did not manage to deliver the malware to all restaurants and claim that in most cases the malware was only present for a few weeks in July.
In the case of Schlotzsky’s and Moe’s, the investigations uncovered other, unrelated data breaches at one and two locations, respectively.
“Moe’s Southwest Grill, McAlister’s Deli, and Schlotzsky’s quickly took measures to contain the incident, remove the unauthorized code, and they are working to implement measures to further enhance payment card security. Nonetheless, it is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity,” the restaurants said in a joint press release.