Landry’s Notifies Public of Data Breach

After detecting unauthorized access to the network that supports payment processing, Landry’s launched an investigation and discovered malware operating within its system. The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card after it was swiped on the order-entry systems. In some instances, the malware only identified the part of the magnetic stripe that contained payment card information without the cardholder name.

While the malware was able to access this data on the order-entry systems, it seems the end-to-end encryption technology that Landry’s runs on its point-of-sale terminals worked as needed and prevented the malware from accessing any valuable payment card data. Landry’s instituted this technology in 2016 after it was the victim of a payment data breach during two main periods: May 4, 2014 to March 15, 2015, and May 5, 2015 to Dec. 3, 2015.

The 2015 POS attack affected more than 350 locations across the USA and Canada and allowed attackers to steal data from the magnetic stripe of customer payment cards, said Alex Guirakhoo, Strategy and Research Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions.

"Landry’s has yet to confirm how many payment cards were compromised as a result of the attack, but as of 2019, the company owns and operates more than 600 properties across North America,"  Guirakhoo added.

The Power of education

The combination of user error among waitstaff and a lack of security measures on the order-entry devices seem to have generated the perfect conditions for this particular malware attack. 

"This incident highlights the importance of implementing security culture awareness and training for all staff within an organization, as well as how attackers can identify and exploit lapses in security. Security culture can be a challenge for large organizations, particularly those with franchise models where properties are managed individually," Guirakhoo says.

In the future, Landry's -- and other operators -- could benefit from taking a more proactive approach to training wait staff on basic security measures, notes Heather Paunet, VP of product management at Untangle.

"Landry’s should conduct annual or bi-annual training for all employees, new and veteran, to ensure that each person working in the restaurant understands the importance of using each device separately and how easily payment card information can be stolen," she says.

But its not enough to just provide training to employees. The training has to actually work - which means the information has to be easily retained by staff and, more importantly, they have to be willing to listen to it.

"I have seen many training videos that were desperate to be hip and engaging but wound up coming across as a bad joke. Even if they had succeeded at being engaging, they were often way too long. It doesn't matter how great the data in your video is - if it's over five minutes long, no one is paying attention to it, and they're dreading having to watch it. If your employees are dreading or annoyed by your training, they're not actually going to retain the information," explains Kevin Lancaster, General Manager of Security Solutions at Kaseya.

"Aim to have your training videos be between three and five minutes long. They should establish the subject and educate on it without trying to be flashy. They should be followed by a quick quiz that is easy to answer provided the respondent was paying attention to the training. You aren't trying to stump people here, but at the same time asking "Is Phishing Bad? Yes or No?" doesn't actually demonstrate the ingestion of information," he adds.

BEYOND EDUCATION

Educating employees, however, isn't the only change that needs to happen among operators.

"Education is important, however, I believe the same end-to-end encryption should have been installed on all systems, just not the ones the waiters/waitresses were expected to use.  Simply put: you can’t lock the front door and leave the garage open," says Terence Jackson, Chief Information Security Officer at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions. 

Paunet agrees.

"Landry’s should have taken the additional steps to provide full encryption protection to any device with the ability to accept card swipes," she says. "This includes the order-entry device with a card reader specifically used to identify Select Club Rewards Members. Any device that can gather, display, or associate personal identifiable information should be covered under network security systems in place," she adds.

NOTIFICATION OF THE PUBLIC

Like so many other operators in the hospitality space, it seems both the time between the data breach and Landry's notification of the public at large remains lengthy as well as the length of the data breach itself. According to the information provided by Landry's, this data breach took place over the course of six months (184 days) and the time between the discovery of it and notification to the public was approximately 74 days.

"I’m sure we’ll see more attacks like this as we move through 2020," says Stefan Kochi, Head of Engineering, Paytronix Systems, Inc. "The real problem is in discovery and reporting. On average, it takes about 200 days for U.S. companies to discover a breach like this. The best thing we can do is share learnings as they occur so that others can avoid the exact situation Landry's is in today."