Darden Restaurants announced Wednesday (August 23) that the data on 567,000 payment card numbers may have been exposed.
In a press release, the restaurant chain operator said it was notified on August 16, 2018, by federal authorities that a legacy point-of-sale system for some of its Cheddar’s Scratch Kitchen restaurants, a brand acquired by Darden last year, may have been compromised via a hack that involves restaurants in 23 states. The company said payment card information — including card numbers — from visitors who went to the restaurants from Nov. 3, 2017, through Jan. 2 2018 may have been affected. Darden said it continues to assess the scope of the incident — but as it stands now, 567,000 cards were impacted.
“Upon being notified of this incident, we activated our response plan and we engaged a third-party forensic cybersecurity firm to investigate. Our current systems and networks were not impacted by this incident. In fact, this incident occurred on a legacy Cheddar’s system that was permanently disabled and replaced by April 10, 2018, as part of our integration process,” wrote Darden in a press release. The company said it arranged to have ID Experts provide identity protection services to impacted customers at no cost. Darden said the Cheddar restaurants impacted are located in Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, and Wisconsin. “The trust our guests place in us is something we take very seriously, and we regret that this incident occurred. We deeply value our relationships with our guests, and our priority is to assist those who may have been impacted by this incident,” Darden said in the press release.
In May of 2017 Chipotle, the fast-food Mexican chain, disclosed malware installed on its payment system was relaying customer payment data to hackers from 2,250 of the Mexican restaurant chain’s store locations. The malware lifted data, including account numbers and internal verification codes, from magnetic stripes on payment cards. That information could be used to drain debit card-linked bank accounts, make “clone” credit cards or make purchases on less secure eCommerce sites.