Buca di Beppo, the Italian restaurant chain, reportedly knew about a data breach that resulted in two million credit card and debit numbers being stolen since Feb. 21 — but waited until the end of March to reveal it.
According to a report in KrebsOnSecurity, the firm contacted the restaurant chain in late February after finding strong evidence of the breach, including evidence that the credit card and debit card numbers were being sold on the dark web. It wasn’t until this past weekend that Buca di Beppo parent Earl Enterprises announced it had fixed a ten-month hack of its payment system for some of its restaurant chains including Earl of Sandwich and Planet Hollywood. KrebsOnSecurity said credit and debit card accounts from Earl Enterprises restaurants were up for sale as of Feb. 20, 2019. Earl Enterprise acknowledged the data breach, saying malware was installed on its point-of-sale system, which enabled criminals to sell the card data from May 23, 2018 through March 18, 2019. Earl Enterprises wouldn’t say how many customers were affected by the data breach, noted the report.
Based on an analysis of a Webpage Earl Enterprises put up to enable people to see if their data was compromised, KrebsOnSecurity reported all of 67 Buca di Beppo restaurants in the U.S. were impacted.
Out of the 31 Earl of Sandwich stores, a handful were compromised, as were Planet Hollywood locations in Las Vegas, New York City and Orlando. The report noted that Tequila Taqueria in Las Vegas; Chicken Guy! in Disney Springs, Fla.; and Mixology in Los Angeles were also impacted by the data breach. KrebsOnSecurity said it contacted executives at Buca di Beppo in late February to inform them of the data breach after discovering that most of its restaurants were involved in a data breach that showed up on a black market shop that sells newly stolen credit card and debit card numbers.