Landry’s Reveals A Few More Details On Breach

Landry’s, which announced a breach last December, has revealed a few more details regarding the breach.  One key detail still missing is the number of credit cards affected.

Some of what we do know is –

  • The breach affected 46 of the company’s brands including the high end restaurant chain Mortons and the Golden Nugget Casino.
  • The breach affected more than 350 locations, out of about 500 total properties.
  • The affected locations were in 34 states – a pretty broad geography.
  • The breach ran, at different locations, from May 4, 2015 to March 15, 2015, May 5, 2015 to December 3, 2015 and/or March 16, 2015 to May 4, 2015.  The last one only affected a small number of properties.  This represents a time window between the start of attack and detection of between 200 and 300 days, not counting the last attack.  Attackers can compromise a lot of data in 300 days.
  • Data that was taken came from the magnetic stripe.  While some people say that chip cards won’t stop breaches, this is a perfect example of a real world breach that might well have been stopped if Landry’s terminals used chip readers.
  • The company says that enhanced security measures have been added – whatever that means – and that they are implementing end to end encryption, which I assume means that they are finally installing chip card readers, but could mean something else.

Businesses need to understand that their point of sale terminals are incredibly attractive to attackers.  Many of them are still running Windows xp, which is not terribly secure and reports say that many do not install security patches on a regular basis.

Regardless of whether they lose a significant number of customers, the investigation and remediation is going to be expensive and the distraction for the management team and franchisees will be significant.  If there are lawsuits, that will be an additional cost and distraction.

Information for this post came from Bank Information Security and Biz Journals.

Leave a Reply

Your email address will not be published.