RMH Franchise Holdings, which claims to be the second largest Applebee's franchisee, is warning Applebee's customers that point-of-sale malware affected 167 restaurants in 15 states.
Franchises in Alabama, Arizona, Florida, Illinois, Indiana, Kansas, Kentucky, Missouri, Mississippi, Nebraska, Ohio, Oklahoma, Pennsylvania, Texas, and Wyoming were affected in the breach.
The company discovered the malware on Feb. 13, 2018, and took action to secure the systems, notify the authorities and contact a third-party cybersecurity firm to investigate the incident, according to a March 2, blog post. The unauthorized software was designed to capture payment card information and may have affected a limited number of purchases made at those locations, the company said.
The exact dates of the breach vary by location but officials said customer information including names, payment card information, expiration dates and card verification codes were compromised in the incident.
Fred Kneip, CEO, CyberGRX said point-of-sale security has become an enormous challenge for the hospitality industry as attackers increasingly target POS vulnerabilities.
The Applebee's breach is the latest in a long line of similar attacks to quick service restaurants, including Sonic, Chipotle and Wendy's,” Kneip said. “Chain restaurants not only need a real-time feed of threats emanating from vendors to mitigate malicious access to their networks, they need to measure and monitor how other third parties like franchisees and divisions are managing this type of risk.”
Experts agree, Lisa Baergen, director at NuData Security Inc. noted that cybercriminals are becoming increasingly successful with finding weaknesses in PoS systems.
“To combat online fraudulent transactions after the credit card information has been stolen, businesses offering services in the card-not-present (CNP) channel need to identify customers using multi-layered technologies that include passive biometrics,” Baergen said. “This technology monitors the user's inherent behaviour, making it impossible for hackers to replicate or steal.”
Baergen added that leveraging a fully integrated multi-layered security approach that includes passive biometrics is an effective way to make stolen information valueless to threat actors. Those who are affected are encouraged to closely monitor their payment card information