Checkers, Rally's Burger Joints Hit By POS Malware

Infections Started in 2015 and Ran Through April
Checkers, Rally's Burger Joints Hit By POS Malware
A Rally's drive-through in Louisiana (Photo: Vrlobo888 via Wikimedia Commons/CC)

Checkers Drive-In Restaurants, which also runs Rally's, says 102 of its 900 U.S. locations were hit with point-of-sale malware, with one California restaurant infected over a more than two-year period starting in December 2015.

See Also: Webinar | Mythbusting MDR

Checkers, which was acquired by private equity firm Oak Hill Capital Partners in 2017, says it "recently" became aware of the malware and is taking steps to remove it.

"After discovering the issue, we quickly engaged leading data security experts to conduct an extensive investigation and coordinated with affected restaurants and federal law enforcement authorities to address the matter," according to a statement from Adam Noyes, who is chief administrative officer and executive vice president of Checkers.

Retailers, restaurant chains and hotels have been frequent victims of POS malware, which seeks to collect card details during payment processing. POS systems are attractive targets due to the large volumes of card data that are processed.

Mag Stripe Data Stolen

Checkers has published a list of the affected restaurants, which spanned 20 states. It listed a date range for each location affected, but it said not all customers who visited those locations during those ranges had their card details stolen.

The malware harvested data stored on a payment card's magnetic stripe, including name, card number, card verification code and expiry data.

The length of time data was exposed varied significantly for affected locales, and it's unclear why.

For example, the earliest infection appeared at a Rally's in Los Angeles starting in December 2015 and ended in March of 2018. The exposure period for many infection periods, however, end in April, which suggests that's when Checkers discovered it had a large-scale problem.

Efforts to reach a Checkers spokesperson for clarification were not immediately successful.

Soft Targets

Despite big POS malware strikes against retailers such as Target and Home Depot in 2013 and 2014 and many incidents since, retailers remain attractive targets for cybercriminals. The stolen card details are typically sold in underground forums based on the projected return on a card and its credit limit.

Even though more than half a decade has passed since Target and Home Depot were hit, the opportunities for hackers clearly haven't been closed. Cisco's Talos intelligence unit highlighted yet another type of new POS malware in March, pointing out why it's a continuing problem (see: Fresh POS Malware Strikes Small and Midsize Companies).

"Point-of-sale terminals are often forgotten about in terms of segregation and can represent a soft target for attackers," Cisco wrote in a blog post.

Last year, several large organizations reported payment card breaches, including Applebee's, Saks Fifth Avenue and Chili's. The incidents can be costly for retailers and restaurants because banks may take legal action to recover costs, such as issuing new cards. Class action lawsuits on behalf of consumers also are frequently filed.

In February, Wendy's announced it had entered into a settlement agreement related to a class-action lawsuit filed by banks. The suit related to a 2015 and 2016 breach in which 18 million card details were stolen from the POS systems of 1,025 restaurants (see: Wendy's Reaches $50 Million Breach Settlement With Banks).

Just hours after Checkers issued its advisory, the law firm Federman & Sherwood, which has offices in Oklahoma and Texas, announced it was launching an investigation of the Checkers breach that could lead to a consumer class action lawsuit.

In March, Federman & Sherwood reached a consumer settlement with Sonic Drive-In, another burger-and-fries chain, regarding a POS malware card breach that affected 325 restaurants (see: Fast-Food Chain Sonic Investigates Potential Card Breach).

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.