Malware that infected the point-of-sale system at some of Huddle House’s corporate and franchised locations had led to a data breach.
The malware was designed to collect certain payment card information from the magnetic stripe, including cardholder name, credit/debit card number, expiration date, cardholder verification value, and service code, according to a statement on the Huddle House website.
Criminals compromised a third-party POS vendor’s data system and utilized the vendor’s assistance tools to gain remote access—and the ability to deploy malware—to some Huddle House corporate and franchisee POS systems.
At this time, Huddle House does not know how many of its 400 corporate and franchised locations have been affected. Huddle House retained an IT investigation and security firm in less than 24 hours from notification, to deploy specialized software to prevent further attacks.
Customers who used a payment card at a Huddle House location between August 1, 2017 and through February 1, 2019 may be at risk. “This date range is based upon our preliminary investigation and we are still conducting our investigation into the scope of this attack,” said Huddle House.