Two companies reported problems that could affect customers in terms of card payment systems. On Dec. 17, Landry’s restaurant and casino chain acknowledged that unauthorized charges were made to an undisclosed number of credit and debit card holders who dined at some of its restaurants. The chain has more than 500 properties and 40 brands including Landry’s, Chart House, Rainforest Café, Bubba Gump Shrimp Co, Salt Grass Steak House, Willie G’s, Claim Jumper, Morton’s The Steakhouse, McCormick & Schmick’s plus the Aquarium and Vic & Anthony’s downtown. It also owns the Kemah Boardwalk, the Pleasure Pier in Galveston and several Golden Nugget casinos and hotels. The problem appears to be with its payment processing system.
KrebsonSecurity reported that banking industry sources said the fraud patterns suggested that the problem may have started May 2015. Landry’s investigation is ongoing and the company does not yet know the extent of the breach in terms of the number of customers and locations that may be affected. They have confirmed that it probably involves the data from the magnetic stripe on the back of cards which includes cardholder name, card number, expiration date and the internal verification code. No personal data such as Social Security numbers would be at risk.
In a website FAQ Landry’s addressed how the company had begun changing its payment card process before even becoming aware of the breach. “System changes that we began implementing even before we were apprised of the reports of unauthorized usage have already been made, both to the specific restaurants where the suspect activity occurred as well as the overwhelming majority of our restaurants. The new, enhanced payment system encrypts the card data throughout our processing system.” One Landry official said that the new system has been implemented at 92 percent of the company 500 properties.
Safeway supermarkets in Colorado and California became targets of card-skimming attacks according to spokesperson Brian Dowling on Dec. 17. The chain is encouraging customers to check their September and October bank statements for fraudulent activity. Credit card skimmers have been found embedded directly in the card-processing machines at some checkout stands. The company has not announced which locations were affected but media in various cities have begun to report stores where confirmed skimmers were found.
A card skimmer is a device that logs card data and PIN numbers when a customer slides a credit or debit card through the payment device. It involves either secretly disassembling point-of-sale PIN pads and inserting a wire tapper, or replacing them outright with one of the same design. It generally involves someone working inside the affected retailer and is not limited to just supermarkets. In late 2012, bookseller Barnes & Noble disclosed that it had found modified point-of-sale devices at 60 locations nationwide. The prior year Michaels Stores replaced more than 7,200 terminals nationwide.
All stores that use payment devices where a customer skims a card through a reader can be targets. The new Chip and PIN cards will make it significantly harder to steal data from. Unfortunately many retailers have not yet installed the new payment devices and card issuers have been slow to mail out the new cards to replace the old mag strip cards.
Dowling said the fraud was limited to a handful of stores, and that the company has processes and procedures in place to protect customers from fraudulent activity. “We have an excellent track record in this area,” told Brian Krebs in an interview. “In fact, we inspect our store’s pin pads regularly and from time to time find a skimmer, but findings have been limited and small in scale. We immediately contact law enforcement and take steps to minimize customer impact.” Dowling continued to state the problem of checkout skimmers is hardly limited to Safeway, and he hinted that perhaps other retailers have been hit by this same group. “This is not unique to our company, and we understand some other retailers may have been more significantly impacted,” Dowling said, declining to elaborate.