Catch Hospitality Group revealed that a point-of-sale (POS) malware incident might have exposed some of its customers' data.
The restaurant and catering company launched an investigation and retained the services of a digital forensics firm after detecting unauthorized activity on its payment processing systems. This investigation uncovered a malware operation that had affected some POS devices deployed at Catch NYC (including Catch Roof) and Catch Steak between September 17, 2019 and October 17, 2019. Specifically, researchers determined that the incident might have exposed transactions on POS devices that waitstaff used to enter orders at the bar and other areas. Those transactions contained customers' payment card details including their name, payment card number and expiration code. Even so, Catch noted that the incident had not affected transactions processed on POS devices which customers use to pay for their orders from their tables. The hospitality group said that these devices use point-to-point encryption. Catch said that its response to this security incident remains ongoing. As quoted in its notice:
During the investigation, we removed the malware and implemented enhanced security measures, and we continue to work with cybersecurity experts to evaluate additional ways to enhance the security of payment card data. In addition, we have reported the incident to our payment processor and are supporting an investigation by law enforcement.
The company urged customers to consider reviewing their account statements and credit reports for suspicious activity. If they detect any unknown transactions on the former, they should contact their card provider as soon as possible to report those unauthorized charges. They might also want to proactively protect their credit files by placing a fraud alert or security freeze on each of their credit files hosted by Equifax, Experian and TransUnion. Victims of a malware incident or data breach can use these steps to further deter identity thieves.