Checkers & Rally’s data breach: customers in 19 states affected

Checkers restaurant chain discloses a data breach: malware got access to customer payment card data

Checkers drive-in restaurant notify customers about a security incident involving data-stealing malware.

Checkers and Rally's restaurants disclosed a security incident during which malware was planted on the company's payments processing system.^[1] As the official data breach notice states, the malware was set to collect information stored on the magnetic stripe of payment cards.^[2] This customer information includes names, payment card numbers, verification code, and expiration date.

The company held an investigation and removed point-of-sale (PoS) malware from the system. 102 out of 900 drive-thru restaurants under Checkers and Rally's brands were impacted, which accounts for 15% of all restaurants affected by the breach.

Based on the information provided by the officials, not every restaurant was affected by the security issue, but it impacted restaurants in 19 states, including Alabama, Arizona, California, Delaware, Florida, Georgia, Illinois, Indiana, Kentucky, Louisiana, Michigan, Nevada, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Tennessee, and West Virginia.

The malware was active on different restaurant networks at different times in the past three years

Since the company in their data breach notice revealed all the locations with particular exposure dates, it seems that most of the malware attacks occurred in early 2018 and 2019. Nevertheless, some restaurants were infected during 2016-2017, while the most initial incidents date to September 2016.

The company claims to have already removed the malware affecting restaurants' payment system right after the incident was discovered – back in April 2019, and third-party security experts were employed to lead the investigation. Checkers also stated that federal law enforcement authorities were informed about the malware attack as well:

We also are working with federal law enforcement authorities and coordinating with the payment card companies in their efforts to protect cardholders.

Checkers is not the first restaurant chain that involved customers' credit card data theft

Data breaches and different security incidents have been a massive issue for large companies, including restaurant chains. In May last year, we reported about Chili's data breach incident.^[3] At the time breach affected more than 1,500 locations all over the world. Restaurants' payment system was also impacted by malware that stole credit card information.

Another incident involving credit card information theft from restaurant chains took place between May 2018 an March 2019. It was confirmed when the Italian restaurant chain Buca di Beppo discovered 2 million stolen card numbers being sold online.^[4] The company confirmed that in 10-month breach affected restaurants in 40 states. Hackers installed malware on point-of-sale systems and stole 2,15 million credit and debit card numbers.

The Checkers chain officials inform people to pay attention to transactions and keep an eye for unauthorized financial account activity. Since the information extracted involves payment information, it can lead to identity fraud or theft.^[5]

We encourage you to review your account statements and contact your financial institution or card issuer immediately if you identify an unauthorized charge on your card. The payment card brands' policies provide that cardholders have zero liability for unauthorized charges that are reported in a timely manner.