It's confirmed that some locations of the Applebee's restaurant chain suffered a point-of-sale (POS) breach involving customers' payment card data.
On 2 March, RMH Franchise Holdings (RMH) issued a notice of data incident on its website. The statement explains how RMH, a franchisee of Applebee's which operates more than 150 restaurant locations, discovered that something was amiss on 13 February. It launched an investigation with the help of more than one digital forensics firm and determined that someone had installed unauthorized software on the point-of-sale (POS) systems at some of its managed Applebee's locations. The franchisee believes the incident might have exposed customers' names and payment card details "processed during limited time periods." According to RMH's statement, it appears the event affected most if not all of its Applebee's locations between 6 December 2017 and 2 January 2018. The breach didn't affect customers who paid online or used tabletop self-pay terminals during that period, RMH revealed. Upon learning of the breach, RMH took certain steps to contain the incident. As it explains in its notice:
In addition to engaging third-party cyber security experts to assist with our investigation, RMH also notified law enforcement about the incident and will continue to cooperate in their investigation. Moving forward, RMH is continuing to closely monitor its systems and review its security measures to help prevent something like this from happening again.
While it works to learn more about what happened, it's urging customers to proactively monitor their payment card statements and consider placing a fraud alert or security freeze on their credit reports. It's unclear from RMH's statement whether the franchisee will individually notify affected customers about the breach. Given the point-of-sale incidents that struck Shoney's, Arby's, and others in 2017, it's important that restaurant chains seize upon 2018 as an opportunity to tackle the POS threat. Here's some guidance towards that end.