B&B Hospitality finds POS malware at nine NY restaurants that stole data for over a year

• The restaurant dining group said the breach occurred between March 1, 2017 and May 8, 2018.
• The malware accessed a trove of sensitive data including payment card numbers, expiration dates, internal verification codes and more.

US-based, Italian-style restaurant dining group B& B Hospitality Group (B&BHG) said it discovered malware on point-of-sale devices at nine different restaurants in the New York City area that was stealing payment card data for over a year.

The nine affected restaurants include Babbo, Becco, Casa Mono, Del Posto, Esca, Felidia, Lupa, Otto Enoteca e Pizzeria and Tarry Lodge.

According to an investigation by a “leading cyber security firm” and the payment card networks, the breach seemed to have occurred between March 1, 2017 and May 8, 2018. The time frame of the malware’s operation may differ between each restaurant, B&BHG noted.

The specially-designed malware installed on point-of-sale (POS) devices at the nine restaurants was used to access a trove of sensitive information including card numbers, expiration dates, internal verification codes and, in some cases, cardholder names read from the magnetic stripe of a payment card.

The restaurant group said no other customer data was affected in the breach.

“B&BHG has removed the malware from all of the restaurants and is taking steps to enhance measures for securing payment card data,” the company said in a release. “In addition, B&BHG is working closely with the payment card networks regarding this matter so that the banks that issue payment cards can be made aware.”

The company has also asked customers who may have been affected to check the restaurant’s website to confirm the applicable time frame, more details and guidance to help protect their payment card data.

Customers have also been advised to review their payment card statements for any suspicious activity or fraudulent payments and report any unauthorized charges to their card issuer.