Slashdot Mirror

← Back to Stories (view on slashdot.org)

Card Breach Announced at Chili's Restaurant Chain (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

Catalin Cimpanu, reporting for BleepingComputer: Malware has harvested payment card details from some Chili's restaurants, Brinker International, the company behind the restaurant chain announced on Friday. Brinker says it detected the malware on Friday, May 11, the same day it made the announcement. The company said it is still investigating the incident together with law enforcement and third-party forensic experts. Based on the current details it was able to gather, the company said the malware appears to have infected some of its payment systems from where it gathered credit or debit card numbers and cardholder names.

43 of 88 comments (clear)

  1. Solution... by b0s0z0ku · · Score: 3, Insightful

    Solution ... don't eat at Chili's. It's not like you'll really miss crappy fake "Tex Mex" food heated in a microwave. If you really need this cr@p, pay with good, old-fashioned, cash or a pre-paid card.

    1. Re:Solution... by ShanghaiBill · · Score: 5, Insightful

      Solution ... don't eat at Chili's.

      Better solution: Fix the idiotic CC system the requires the same information to be both widely known and secret.

    2. Re:Solution... by Anonymous Coward · · Score: 1

      You say that like all chains don't use Sysco food. The only difference between chains now is the quality of food that they order from Sysco. Sysco doesn't offer anything spicy, which is my main complaint, but after eating at over a hundred Mexican restaurants between Georgia and Washington state, none of them had spicy food anyway. It just sucks that you simply cannot get spicy Mexican food unless you cook it yourself.

    3. Re:Solution... by b0s0z0ku · · Score: 2

      I should have qualified further. Don't eat at most chains. If it's traded on Wall Street and has > 5 locations, quality takes a plummet.

      You can definitely get spicy/authentic Mexican food in AZ, CA, NM, or NY (Brooklyn). Places with ... large Mexican communities :)

    4. Re: Solution... by greenwow · · Score: 1

      But she is adding hot sauce. It's much better when you add chili peppers while cooking the meat.

    5. Re:Solution... by toonces33 · · Score: 1

      Sysco is a big one, but they are not the only supplier out there, and many customers split their orders among several suppliers. In many areas there are smaller purveyors that specialize in ethnic foods.

      A place like Chilis won't do this - they (along with a lot of other chains) have "dumbed down" the food because they think highly spiced food will put off some customers. So they make it bland. You might as well go to T.G.I.Fridays.

    6. Re:Solution... by youngone · · Score: 1

      We don't have Chili's where I live, so I had a look at their menu online.
      It didn't make me want to try their food. I'm guessing it's really cheap.

    7. Re: Solution... by greenwow · · Score: 1

      I've lived in the Seattle since I was born almost 63 years ago, and I have never found a restaurant that is spicy. Even I have to specify that I want something "Indian spicy" but still don't get it spicy. The closest I've some to getting something even near as spicy as I want was when I asked for that with three Indian friends that all told the waitress that I meant that. It sill wasn't as spicy as their meals.

    8. Re: Solution... by b0s0z0ku · · Score: 1

      Note to self: don't move to Seattle :)

    9. Re: Solution... by Anonymous Coward · · Score: 1

      This. Meat cooked property is so much better than bland meat that later has chilies added later. Just don't understand how many restaurants don't get that. We want spicy food.

    10. Re: Solution... by greenwow · · Score: 1

      > None of them have been spicy.

      Correct. Spices are expensive so the vast majority of restaurants won't provide spicy food no matter how much they charge.

    11. Re:Solution... by Anonymous Coward · · Score: 1

      My wife used to work for Sysco, and I can say that everything Chiles gets from Sysco, is to the specs that Chiles has given Sysco. She says that if you wanted spicy, you could almost certainly get it from Sysco - the problem is that a lot of customers choose to not offer spicy because they think it will put off some customers, and the customers who do like spicy will eat there anyways.

    12. Re: Solution... by baegucb · · Score: 1

      I only lived in Seattle for 10 years in the 1990s. But I could get spicy food at Thai places. It helps that I can speak some Thai, and they'd know I was serious when I wanted my meal spicy. Mexican food there was bland. Korean food varied from place to place.

    13. Re:Solution... by ShanghaiBill · · Score: 1

      Just because you can think of a stupid alternative method of implementing transactions, that doesn't mean it is the only alternative.

      You should get a passport and go see the world. Most of the world has already fixed this problem.

      In America, a CC merchant receives the following information during a transaction:
      1. Your name
      2. Your credit card number
      3. The expiration date
      4. The CVV
      5. Your PIN, if using a debit card and the keypad is compromised.

      Of course, this is more than enough for a crook.

      In some other countries, the merchant receives this information:
      1. A one-time transaction ID that encodes the amount of the transaction and cannot be modified or reused, except for a full or partial refund.
      2. NOTHING ELSE - no name, no account number, no PIN, no phone number, nothing.

      The PIN is keyed into your own cellphone, not equipment controlled by the merchant.

    14. Re: Solution... by tlhIngan · · Score: 1

      Never understood why this has to be a racial thing. I'm whiter than white, yet have a much higher spice tolerance/enjoyment level than my partner, who's West Indian.

      I think in general most people don't have a high spice tolerance. I've known a few who get the sweats just eating a bell pepper (no kidding). Anything spicier and ... well, it ain't pretty.

      Among the people I know, I appear to have the most spice tolerance or desire for spice. One of my coworkers cooked up something really spicy (chickpea curry) and it was delicious, but only had a mild kick. Yet that was about as much as they could tolerate.

      About the most spicy food I could find was Chinese, Hunan in particular actually had a decent kick, and "really spicy" gave me the sweats. It was literally coated in the tiny Thai chilies (with seeds, of course).

      I always wondered why Tabasco sauce even has "mild" versions - it adds a nice flavor to food, but I don't see what's even a little spicy about it.

      Sadly, even something like ghost peppers, unless prepared yourself, generally is too mild..

    15. Re:Solution... by jbmartin6 · · Score: 1

      I'm going to keep on using my credit card with no worries, since like almost everyone I am not liable for false charges. There's no reason to change my behavior, breaches like this are the bank's problem, not mine.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    16. Re: Solution... by jbmartin6 · · Score: 2

      Huh? Spices are really cheap now that the Portuguese have figured out how to sail around Africa reliably.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    17. Re:Solution... by jbmartin6 · · Score: 1

      WeChat and AliPay are making some inroads in the US, a few places are now accepting payment in RMB or USD. I notice the list of linkable banks in WeChat keeps growing.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    18. Re:Solution... by mjwx · · Score: 1

      Solution ... don't eat at Chili's.

      Better solution: Fix the idiotic CC system the requires the same information to be both widely known and secret.

      Even better solution: Make the storage of card details illegal with jail terms for any business and supplier of POS terminals that permit it.

      This will never happen as it will force a small percentage of people back to cash, seeing as banks skim a percentage off each transaction on credit, they'll lose millions in pure profit from that small percentage.

      As an aside, my solution is easier and faster to implement.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    19. Re: Solution... by crypticedge · · Score: 1

      But she can't control the kitchen of every restaurant she goes to, so a bottle of hot sauce in her purse helps her at least add what little bit she can.

    20. Re:Solution... by yodleboy · · Score: 1

      This is why I NEVER select the "save my card for faster purchases" option. Well, except for Amazon, but that's the only exception. It takes me all of 20 to 30 seconds to enter card for each transaction. I can spare the time...

    21. Re: Solution... by rail2rail · · Score: 1

      And Trump eats burned steak with ketchup. I'll stick with the hot sauce aficionado versus the guy attempting to replicate Big Macs in the Whitehouse kitchen. https://www.eater.com/2017/11/...

    22. Re: Solution... by volmtech · · Score: 1

      Buffalo Wild Wings, the mild was too hot for me.

  2. I want my data back by Anonymous Coward · · Score: 4, Funny

    data back
    data back
    data back
    data back
    data back
    data back
    (repeat)

  3. wouldn't be easier? by AndyKron · · Score: 2

    Wouldn't it be easier just to report those that haven't been hacked yet?

  4. Wonder if the koisks were the security breach. by SeaFox · · Score: 5, Interesting

    Chili's has those stupid at-table tablet kiosks that allow you to order things and pay your bill yourself.

    In the current climate of card skimming devices being installed by criminals at ATMs and gas pumps -- consider that.
    A portable, wireless, card reading device that is being left unsupervised for long periods of time, and the customer is being encouraged to use by the staff.

    1. Re:Wonder if the koisks were the security breach. by amiga3D · · Score: 1

      I never have that problem. I hand them cash and so far it's never been hacked. I use a CC for major transactions and online purchases but if it's not a lot of money and I can pay cash I do. It's more convenient for me and safer for my account.

    2. Re:Wonder if the koisks were the security breach. by cozytom · · Score: 1

      I was talking to the Ziosk people about 4 years ago, and yes they are Android based tablets. The management of the company was pushing these tablets to reduce costs, since "wait staff won't have to take your order" and "you won't have to wait around for your bill".

      I went to Outback recently, and yes they had the Ziosk tablets also. I just pushed the screen towards the wall of the booth, and had a wonderful time chatting with the waitperson, never having to touch the device the rest of my visit.

      I think it is a solution looking for a problem.

  5. Re:More blood on Trump's tiny hands... by greenwow · · Score: 2, Funny

    Never remember any data leaks under Obama, so this is the Republican's fault.

  6. Why are people still eating at Chilis? by alternative_right · · Score: 1

    It's like a Southwestern Applebees. All the food still comes off a Sysco truck. You'll do better at Taco Bell for price/performance and also volcanic flatulence.

    --
    Alternative Right.
    1. Re:Why are people still eating at Chilis? by drinkypoo · · Score: 1

      Neither one offer spicy food. Can't believe so many of my friends still go to Taco Bell, Chillis, or Applebee's then complain about food being bland.

      Taco bell has some relatively hot sauces, although you have to ask for them. One of them is even a pretty good copy of Tapatio.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Why are people still eating at Chilis? by ArchieBunker · · Score: 1

      How about that airplane food? Isn't it terrible? Talk about an antique joke. If mildly spicy food makes you shit yourself then I suggest you see a doctor.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
  7. Re:More blood on Trump's tiny hands... by Anonymous Coward · · Score: 1

    This. Credit card problems didn't happen under Obama.

  8. Re:I only ever pay cash by Anonymous Coward · · Score: 1

    I only ever get cash out of ATMs physically located inside banks

    You forgot to mention how you gave your bank account number to your employer to direct deposit your pay, your employer outsourced direct deposit to the cheapest service, and as soon as the direct deposit service company gets compromised, your bank account will be empty.

  9. Yeah announcing it the same day. Third party help by raymorris · · Score: 4, Insightful

    I don't like it when companies spend months before making an announcement, but making a public announcement the SAME DAY it's first discovered is surprising. It takes time to investigate and see if it's only an attacker in a certain city hitting nearby restaurants (such as over their wifi on no-table kiosks) or if it's very widespread. Chili's is a franchise, so there are many different companies running Chili's branded restaurants and they probably have separate payment systems.

    It also takes time for the technical people, executives, lawyer, and PR people to talk and make sure the public statement says the right things - that it's accurate and doesn't unnecessarily implicate Chili's in something that may be just one franchisee, for example. Getting the statement out the same day it was discovered is surprising.

    I'm glad to see they've already brought in third-party experts. In-house people may want to cover their own ass, or cover their friend's ass, or likely simply don't specialize in computer forensics and investigations, so calling in third-party experts is a really good idea.

  10. Did they hack the Pay at Table Tablets? by Joe_Dragon · · Score: 1

    Did they hack the Pay at Table Tablets?

  11. Re:I only ever pay cash by b0s0z0ku · · Score: 1

    "You" may do so, smart people don't.

    1. Get an account at a credit union -- no monthly fees.
    2. Create a separate account for direct deposits/checks.
    3. Transfer money as needed, only keep enough in the account to cover outgoing payments.

    If someone tries to suck it dry, joke's on them!

  12. New Commercial... by HockeyPuck · · Score: 3, Funny

    Chilis.....

    I want my data back data back data back...
    I want my data back data back data back...

  13. The worst part of all this by scourfish · · Score: 1

    Is that now the world knows you eat at Chilis

  14. Re:You get what you deserve... by b0s0z0ku · · Score: 1

    ... or just cook them dinner, to show them what food (not "food") is supposed to taste like.

  15. Come to think of it, I announced the same day by raymorris · · Score: 1

    After writing that, it occurred to me that the one time I had to make a "similar" announcement, I did so on the same day it was discovered. That was a much, much smaller company than Chili's, though, with much simpler systems.

    In our our case, investigation lead to the conclusion that there probably was no leak of data, but because we saw something that raises eyebrows we notified customers. We suggested that they keep an eye on their credit card statements over the next days and weeks and let us know if they saw any questionable charges.

    Which reminds me, there is something in the Chili's same-day announcement which could have been done better. The apparent leak was credit card numbers, not social security numbers. Yet Chili's suggested customers monitor their credit reports and file a fraud flag with the credit reporting agencies. That's the wrong course of action. Those things might make sense if your SSN was leaked. For a leaked CC number, the right thing to do is watch that credit card account. Bad guys use your CC number to make fraudulent charges in the CC, not to open new accounts.

  16. Re:You get what you deserve... by arkane1234 · · Score: 1

    Dude, that's never happened to me there. You've got problems. Seriously, see a doctor.

    --
    -- This space for lease, low setup fee, inquire within!
  17. Yet another example of why I use cash again by Rick+Schumann · · Score: 1

    Every week there is at least one report like this one of a data breach of electronic payment systems -- which is why I've been paying cash for everything I do in-person for more than a year now, to reduce the chances of getting my banking information stolen in one of these breaches.

    Nervous Nellies, Doomsayers, and Chicken-Littles need not comment; I don't care about all your pants-peeing nightmare scenarios about some masked stranger robbing me, heard it all before, literally don't give a fuck, don't waste your time. Similarly, I don't need or want anyone's 'advice' on how to 'keep myself safe' while still using plastic. I'm perfectly happy doing things the way I'm doing them.

    The day that they actually manage to properly secure electronic payment systems to the point where breaches are rare or never happen will be the day I re-think my cash-only policy. Until that day comes this is so far as I'm concerned the best way to prevent being compromised in a payment system breach, and I furthermore encourage others to adopt a cash-whenever-possible policy themselves.