Landry's Reveals Details of POS BreachMalware Spread to More than 350 Locations in 34 States, Canada
See Also: 2016 Social Engineering Report
The breaches exposed payment cards used at 46 of its brands, which include the restaurant chain Morton's and Golden Nugget Hotels and Casinos. More than 350 locations in 34 states, the District of Columbia and Canada were affected, according to a Jan. 29 statement. Landry's has about 500 locations under its corporate umbrella.
Landry's, which originally announced limited information about the security incidents on Dec. 17, did not provide an estimate of the number of cards that may have been impacted. Card issuers contacted by Information Security Media Group say they haven't yet seen significant fraud that can be linked to the breaches.
Landry's did not respond to ISMG's request for further comment.
In its Jan. 29 statement, Landry's says a malicious "program" used to compromise card data was designed to steal cardholder names, card numbers, expiration dates and verification codes.
"Findings from the investigation show that criminal attackers were able to install a program on payment card processing devices at a certain [number] of our restaurants, food and beverage outlets, spas, entertainment destinations and managed properties," according to the statement. "The program was designed to search for data from the magnetic-stripe of payment cards that had been swiped as the data was being routed through affected systems.
The company says locations were affected at different times during one or both of the following periods: from May 4, 2014, through March 15, 2015, and from May 5, 2015, through December 3, 2015. In addition, the at-risk timeframe for a small percentage of locations includes the period from March 16, 2015, through May 4, 2015.
Since discovering the two breaches, Landry's says it has deployed end-to-end encryption and other security enhancements across its properties, "to prevent a similar issue from occurring in the future."
"We continue to support law enforcement's investigation," Landry's notes. "We are also working closely with the payment card networks to identify potentially affected cards so that the card issuers can be made aware and initiate heightened monitoring of those accounts. For those customers we can identify as having used their card at an affected location during that location's at-risk window, and for whom we have a mailing address or e-mail address, we will be mailing them a letter or sending them an e-mail."
Because not all of Landry's properties and brands were breached, the compromised locations span a wide geographic area and malware attacks occurred in different time frames, the affected businesses were not likely using a centralized payments network or system, says Jeff Man, a payments expert and security evangelist for continuous network monitoring firm Tenable Network Security.
Instead, Man says the businesses are likely relying on regional payments processors using various types of payments systems and point-of-sale devices. Many of the POS systems used at merchant locations still run on outdated Windows-based operating systems that are not being properly patched, Man notes.
"Merchants know they need to get off these systems, but it's a challenge," Man says. "Retailers typically are using an embedded operating system that's connected to a cash register, essentially. The merchants aren't pushing patches to the cash register. In theory, the payments processors supplying these POS systems are supposed to supply the support. But we know that is not always the case."
What Malware Was It?
Although Landry's did not name the malware used in the breaches, John Buzzard, a fraud specialist at core banking processor FIS Global, says it was likely a customized version of Black POS or BackOff, common POS malware strains used in other retail POS attacks.
"We see sporadic infections today that affect a brand but not all locations, and some of the answers to these vexing problems might be as simple as the type of POS software that is being used at the targeted location, or how easy it is to infiltrate the administrative controls that are in place at each location," Buzzard says. "This tells me, and everyone else, that the will of the criminal can oftentimes be stronger than the will of our security best practices. These guys are diligent and maddening.
"The best take away here for me is to always assume that your organization is in a constant state of attack so that your staff carries out daily due diligence that will secure the brand and the operation during the long haul."
Man says the Landry's breaches underscore the security challenges facing smaller merchants who rely heavily on regional processors for assistance.
"Landry's likely uses a franchise-like model for most of their stores or operations," he says. "And that's the Achilles heel for the industry, because when you have a model like that, those locations are considered small merchants. So they are probably not getting the attention they should for PCI compliance."