Casual dining chains identify cause of breach

Moe's Southwest Grill, McAlister's Deli, and Schlotzsky's were hacked with an unauthorized code.

The three restaurant retailers are providing an update on a payment card security incident customers were initially notified of on Aug. 20, 2019. A nearly completed forensic investigation indicates the likely cause was that unauthorized code designed to copy payment card data from cards used in person was installed at certain corporate and franchised Moe's Southwest Grill, McAlister's Deli, and Schlotzsky's restaurant locations at different times over the general period of April 11, 2019 to July 22, 2019.  

The unauthorized code was not found at all locations, and at most of the locations where it was found it was present for only a few weeks in July 2019. The unauthorized code searched for track data read from the magnetic stripe of a payment card as it was being routed through a restaurant's server. 

The code often found the part of track data that contains the card number, expiration date, and internal verification code, and sometimes it found the part that also includes the cardholder name. The companies say it is possible the code did not find every card that had been used at each location during the time frames involved.

Moe's Southwest Grill, McAlister's Deli, and Schlotzsky's have taken measures to contain the incident and remove the unauthorized code, and are working to implement measures to further enhance payment card security.  Law enforcement and the payment card networks were notified when the companies discovered the incident.