Cyber Incident Victim: Truluck's Seafood, Steak, and Crab House
Date:
Nov 2018
Location:
United States of America
Summary
A seafood and steak restaurant chain experienced a malware-based data breach impacting point-of-sale systems across eight locations, including establishments in Dallas-Fort Worth, Austin, Houston, Chicago, and Naples. The compromise exposed customers' credit card information during transactions at affected restaurants over a two-month period. The incident involved unauthorized data copying through malicious software installed on payment processing systems. The breach was publicly disclosed following an internal investigation, confirming unauthorized access to payment card details but not specifying the total number of affected patrons. The malware specifically targeted card data processed through the compromised systems at multiple geographically dispersed branches of the hospitality business.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late 2018, Truluck’s Seafood, Steak & Crab House experienced a data breach impacting point-of-sale systems at eight of its restaurant locations. The Houston-based chain disclosed the incident publicly on February 13, 2019, revealing that attackers had deployed malware designed to capture customers’ payment card information. The compromise occurred during a two-month window spanning November and December 2018, affecting establishments across multiple metropolitan areas. Specifically impacted locations included two restaurants in the Dallas-Fort Worth region (downtown Dallas and Southlake), two in Austin, two in the Houston area, and single locations near Chicago, Illinois, and Naples, Florida. The malware operated by copying credit card details processed through the compromised POS systems during transactions.
Truluck’s initiated breach notifications to customers following internal investigations, warning that stolen data could enable fraudulent transactions. The company did not specify the number of affected patrons or whether non-cardholder personal information was accessed. No forensic details about malware installation methods, attacker identification, or containment timelines were disclosed in the public announcement. The breach exposed vulnerabilities in the chain’s payment processing infrastructure, potentially enabling financial fraud against diners at the affected locations. Truluck’s public statement served as the primary response measure documented in available reports, with no supplementary remediation steps or victim support initiatives described in the source material.