Friday , March 29, 2024

Chili’s Reports Malware-Related Data Compromise at Company-Owned Restaurants

An undetermined number of Chili’s Grill and Bar restaurants sustained a data breach in March and April, Chili’s parent company Brinker International Inc. reported over the weekend.

Dallas-based Brinker divulged few details in a Saturday post on the Chili’s Web site and in a new release the same day. It did report, however, that the breach affected payment card numbers and cardholder names of customers who visited “certain Chili’s Grill & Bar corporate-owned restaurants.” Brinker said it learned of the compromise on Friday notified law enforcement, and is now working with “third-party forensic experts” on an investigation.

Chili’s has 1,634 restaurants worldwide, including 1,254 in the United States. Of the U.S. locations, 940 are company-owned and 314 are franchised. Brinker also owns the 52-location Maggiano’s Little Italy restaurant chain.

“Currently, we believe the data incident was limited to between March-April 2018; however, we continue to assess the scope of the incident,” the news release says. “While the investigation is still ongoing, we believe that malware was used to gather payment card information, including credit or debit card numbers and cardholder names, from our payment-related systems for in-restaurant purchases at certain Chili’s restaurants.”

A Brinker spokesperson could not be reached Monday morning for comment.

The good news, if there is any, is that in marked contrast to other companies that have delayed breach disclosures, Brinker reported the incident only one day after it said it learned of it. For example, credit-reporting agency Equifax Inc. reportedly learned it had been breached last July but waited until September to disclose the massive compromise of more than 140 million records. [24]7.ai Inc., a San Jose, Calif.-based company that provides services like virtual chat agents and analytics to various companies, said it had a breach that began last Sept. 26 that was discovered and contained on Oct. 12. But one of [24]7.ai’s affected clients, retailer Sears Holdings Corp., said the vendor didn’t inform it of the breach until mid-March. The Sears breach involved unauthorized access to credit card information on fewer than 100,000 customers, Sears said. Other firms affected by the [24]7.ai compromise  included Delta Air Lines Inc. and Best Buy Co. Inc.

Companies have delayed breach disclosures for various reasons, including upon advice of investigators and law-enforcement, and because they didn’t believe a data compromise would lead to actual fraud.

Check Also

Buying Groups Might—or Might Not—Give Merchants More Negotiating Power with the Card Networks

Card-acceptance costs and network rules weren’t the only subjects covered by the sweeping settlement revealed …

Digital Transactions