Cyber Incident Victim: Schlotzsky's

The Schlotzsky's restaurant chain experienced a payment card data breach in 2019 resulting from point-of-sale (PoS) malware infections across certain locations. The incident was disclosed alongside two other Focus Brands subsidiaries—McAlister's Deli and Moe's Southwest Grill—on August 20, 2019, though initial unauthorized access began earlier at Schlotzsky's. Attackers first compromised Schlotzsky's systems on April 11, 2019, nearly three weeks prior to the April 29 breach start dates at Moe's and McAlister's. The malware operated until July 22, 2019, when Focus Brands terminated the intrusion across all three chains. While not all corporate and franchised locations were affected, most compromised sites had the malicious code active for only a few weeks during July. The malware targeted payment card data as it processed through restaurant servers, capturing magnetic stripe details including card numbers, expiration dates, and internal verification codes, with cardholder names also exposed in some instances.

Focus Brands initiated an investigation with cybersecurity experts, confirming the breach scope impacted a subset of their combined 1,500 U.S. locations. The company provided location-specific lookup tools for customers to verify exposure but did not publish a full list of compromised sites. Notification letters confirmed the malware's data exfiltration method but did not disclose the number of affected cards or customers. The breach duration varied across locations, with Schlotzsky's sustaining the longest potential exposure window among the three chains at over three months. No fraudulent use estimates or financial impact disclosures accompanied the notifications. Focus Brands emphasized remediation efforts had eliminated the malware by late July, prior to the August customer alerts.