In the never-ending epidemic of data breaches, yet another company is added to the list. According to a message written on its website, New York-based restaurant operator Catch Hospitality Group has been breached by malware targeting their point-of-service (POS) systems. The affected restaurants are Catch NYC, Catch Roof, and Catch Steak and, as the security alert states, the malware breached the restaurants at different points. Catch NYC and Catch Roof were accessed March 19-Oct. 17, 2019, and Catch Steak was compromised Sept. 17-Oct. 17, 2019.
The attack itself and the nature of the malware used is described as follows by the alert:
Catch recently launched an investigation after detecting unauthorized activity on some of our payment processing systems, and a leading cybersecurity firm was engaged to assist. The investigation identified the operation of malware designed to access payment card data from cards used on certain point-of-sale (“POS”) devices at Catch NYC (including Catch Roof) and Catch Steak. The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card as it was being routed through these POS devices. There is no indication that other customer information was accessed.
Catch Hospitality Group says that they use two separate POS systems in their establishments. Only one of these, the POS systems used primarily at the bar, were compromised. The malware, according to the security notice, has been removed from the system. The data breach investigation is ongoing and is being led by law enforcement. As of now, it is unknown who the threat actors are behind the attacks, or perhaps Catch Hospitality Group knows and has not revealed their names.
Any individual or business who has used their payment cards at these establishments is encouraged to check their statements for unauthorized activity.
Featured image: Freepik / katemangostar