Card Breach Announced at Chili’s Restaurant Chain

Malware has harvested payment card details from some Chili's restaurants, Brinker International, the company behind the restaurant chain announced on Friday.

Brinker says it detected the malware on Friday, May 11, the same day it made the announcement. The company said it is still investigating the incident together with law enforcement and third-party forensic experts.

No concrete details about the incident's size

Based on the current details it was able to gather, the company said the malware appears to have infected some of its payment systems from where it gathered credit or debit card numbers and cardholder names.

The company did not publish a list of Chili's restaurants on whose network it found the malware but said the evidence suggests the malware was only active between March and April 2018.

Brinker also didn't provide an approximate number of affected customers but promised to publish more details as the investigation goes forward.

Brinker also said Chili's payment system was not designed to store personal information such as social security number, full date of birth, or federal or state identification number.

Brinker recommends protective measures

"If you used your payment card at a Chili’s restaurant between March – April, 2018, it does not mean you were affected by this incident," the company said in a statement.

"However, out of an abundance of caution, we recommend that you remain vigilant and consider taking one or more [...] steps to avoid identity theft, obtain additional information, and protect your personal information."

Until Brinker gets to the bottom of the incident, they are recommending that everyone who paid meals at Chili's restaurants in March and April 2018 contact a nationwide credit-reporting agency and set up a fraud alert or set up a security freeze. Other measures are listed in its official incident disclosure.

The Brinker incident is somewhat out of the ordinary because companies rarely report card breaches on the same day they discover them, usually waiting weeks and sometimes months to have concrete details before putting out a statement.

Image credits: Mike Mozart