[BreachExchange] Catch Restaurants Hit by Point-of-Sale Malware

Wed Nov 27 08:55:35 EST 2019

https://www.securityweek.com/catch-restaurants-hit-point-sale-malware

Catch Hospitality Group alerted its restaurant customers that
cybercriminals managed to infect some of its point-of-sale (“PoS”)
devices with credit card data scraping malware.

The company is notifying customers of Catch NYC (including Catch Roof)
and Catch Steak about the incident, informing them that the discovered
malware was designed to search for track data (such as cardholder
name, card number, expiration date, and internal verification code) on
its PoS devices.

According to Catch, however, the impact appears to be limited, as the
malware was found on only one of the two different PoS devices used at
Catch NYC and Catch Steak.

Specifically, one of the devices is brought to the tables and used for
almost all of the dining area transactions, and the other is at the
bar and areas where the dining area waitstaff enter orders for the
kitchen.

The company claims that only cards used at the bar or where waitstaff
enter orders were impacted by this attack, as the transactions on PoS
devices that are brought to tables are secured via point-to-point
encryption technology.

Catch also explained that the timeframes when payment card data may
have been accessed varies between the two locations. Catch NYC
(including Catch Roof) was infected between March 19, 2019 and October
17, 2019, while Catch Steak was infected between September 17, 2019
and October 17, 2019.

The company says it has already removed the malware and added extra
security measures to its systems, while also looking into more ways to
improve the security of payment card data.

The incident was also reported to the payment processor and law
enforcement is conducting an investigation.

“It is always advisable to review your payment card statements for any
unauthorized activity. You should immediately report any unauthorized
charges to your card issuer because payment card rules generally
provide that cardholders are not responsible for unauthorized charges
reported in a timely manner,” Catch notes.