Cyber Incident Victim: Moe's Southwest Grill
Date:
Apr 2019
Location:
United States of America
Summary
Moes Southwest Grill and affiliated restaurant chains experienced a payment card data breach caused by point-of-sale malware compromising their systems. The malicious software captured card details, including numbers, expiration dates, verification codes, and occasionally cardholder names, from magnetic stripes during transactions. The intrusion impacted select locations over several weeks before being terminated. While not all outlets were affected, the parent company provided tools for customers to verify compromised sites. The incident was part of a broader wave of attacks targeting multiple U.S. food establishments, with varying durations of unauthorized access across different chains.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April and July 2019, multiple U.S. restaurant chains experienced payment card breaches resulting from point-of-sale (PoS) malware infections. Focus Brands subsidiaries Moe’s Southwest Grill, McAlister’s Deli, and Schlotzsky’s disclosed that attackers had installed malware on their payment systems to steal customer card data. The compromise began earliest at Schlotzsky’s on April 11, 2019, while Moe’s and McAlister’s were impacted starting April 29. The malware operated until its removal on July 22, 2019, though the companies noted it was not present at all locations and typically active for only a few weeks during July. The malicious code intercepted payment card data as it processed through restaurant servers, capturing magnetic stripe information including card numbers, expiration dates, and verification codes, with cardholder names also exposed in some instances. Focus Brands publicly notified customers of the incident on August 20, 2019, over three weeks after containing the intrusion. Affected establishments included both corporate-owned and franchised locations across the chains’ combined 1,500 U.S. restaurants. While the companies did not publish a full list of compromised sites, they provided online lookup tools for customers to verify if specific locations they visited were involved.
Hy-Vee, a separate food retailer, experienced a similar but longer-running PoS malware incident first disclosed on August 14, 2019, with additional details released on October 3. Hy-Vee’s investigation revealed malware infections at fuel pumps, restaurants, and drive-thru coffee shops, with varying start dates: fuel pump systems were compromised from December 14, 2018, while restaurant and coffee shop breaches began January 15, 2019. Six locations showed evidence of card data theft potentially starting as early as November 9, 2018, and one location had ongoing malicious activity until August 2, 2019. The company detected unauthorized access to payment systems on July 29, 2019, prompting an investigation with cybersecurity experts. Unlike the Focus Brands breaches lasting approximately one month, Hy-Vee’s systems were compromised for up to nine months in some cases. All four food chains confirmed the attacks targeted in-person card transactions, with stolen data including the elements necessary for financial fraud. No quantitative impact assessments regarding compromised records or financial losses were disclosed in the notifications.