Cyber Incident Victim: Islands restaurants
Date:
Feb 2019
Location:
United States of America
Summary
A malware attack targeting point-of-sale systems compromised payment card data at 60 restaurant locations primarily in California, with additional sites in Arizona, Hawaii, and Nevada. The malicious software harvested magnetic stripe information including cardholder names, card numbers, expiration dates, and internal verification codes over several months before being contained. The establishment confirmed the malware was fully removed from affected payment processing devices following an investigation prompted by alerts about potential card data issues. Unlike some parallel breaches disclosed concurrently, this incident did not involve provisions for complimentary identity protection services, though impacted customers retain standard rights to annual credit report access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Islands restaurants experienced a payment card data breach involving point-of-sale (PoS) malware installed on devices processing customer transactions. The company was alerted to a potential payment card security issue, prompting an investigation with assistance from a computer forensics firm. This investigation revealed malware had been operating on PoS systems across multiple locations from February 13, 2019, through September 27, 2019, with infection dates varying by restaurant. The breach impacted 60 Islands locations, predominantly in California, with additional affected sites in Arizona, Hawaii, and Nevada. The malware specifically targeted magnetic stripe data during payment processing, collecting cardholder names, card numbers, expiration dates, and internal verification codes. Islands confirmed the malware had been fully removed from all payment processing systems by the time of their public disclosure on December 22, 2019, which coincided with breach announcements from Wawa convenience stores and another restaurant chain called Champagne. The company established a dedicated breach disclosure page listing all compromised locations but did not specify the total number of affected payment cards.
The breach exposed sensitive payment card information that could enable fraudulent transactions, though Islands did not quantify potential financial losses for customers. Unlike Wawa's response, Islands did not offer complimentary identity protection or credit monitoring services to affected individuals. The company advised customers to monitor their account statements and obtain free annual credit reports through authorized channels. Forensic analysis determined that while malware operated intermittently across locations, card data extraction was unsuccessful during certain weeks in March at seven establishments. Islands emphasized that no malware remained active on their systems following containment measures. The incident shared technical similarities with the Champagne restaurant breach disclosed the same day, including identical data targeting patterns and malware installation methods on PoS devices. Both restaurant chains maintained separate investigations and breach notifications despite the coordinated disclosure timeline.