Cyber Incident Victim: McAlister's Deli
Date:
Apr 2019
Location:
United States of America
Summary
A U.S. restaurant chain experienced a payment card breach after point-of-sale malware infected systems across multiple affiliated brands, compromising customer payment data during transactions. The malware captured magnetic stripe information including card numbers, expiration dates, verification codes, and occasionally cardholder names at select corporate and franchised locations over varying periods. The intrusion was contained after several weeks, with most locations affected for only a short duration. While not all sites were compromised, the parent company provided an online tool for customers to verify impacted locations. The incident was publicly disclosed approximately one month after malicious activity ceased, with cybersecurity experts assisting in the investigation and remediation efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In 2019, multiple U.S. restaurant chains experienced point-of-sale (PoS) malware attacks compromising customer payment card data. McAlister's Deli, alongside Moe’s Southwest Grill and Schlotzsky’s—all subsidiaries of Focus Brands—disclosed breaches between August and October 2019. The intrusion timeline varied across chains: Schlotzsky’s systems were first compromised on April 11, while McAlister’s and Moe’s infections began later on April 29. Attackers deployed malware designed to capture payment card details as transactions were processed. The malicious code remained active until July 22, when Focus Brands terminated the intrusion across all three chains. The company emphasized that not all corporate or franchised locations were affected, with most impacted sites experiencing malware presence for only a few weeks during July. Customers were notified about the incident on August 20 through public disclosures and individual communications.
The PoS malware harvested magnetic stripe data from payment cards, including card numbers, expiration dates, and internal verification codes. Cardholder names were also exfiltrated in some instances. Focus Brands provided online lookup tools allowing customers to verify whether specific restaurant locations they visited were compromised, though comprehensive lists of affected sites were not published. The breach impacted a subset of the combined 1,500 locations operated by the three chains. Forensic investigations confirmed the malware’s data theft functionality but did not reveal evidence of other system misuse. No details regarding attacker identification or malware naming conventions were disclosed in the public notifications. The incident reflected ongoing threats to payment systems despite decreased prevalence of PoS malware compared to previous years.