Cyber Incident Victim: B&B Hospitality Group

B&B Hospitality Group (B&BHG) publicly disclosed a payment card security incident on July 6, 2018, following an investigation conducted by a cybersecurity firm and payment card networks. The investigation revealed that malware infected point-of-sale (POS) systems at nine restaurants within the company's New York metropolitan area operations. This malware operated intermittently across different locations between March 1, 2017, and May 8, 2018, with specific timeframes varying by establishment. The malicious software targeted payment card data by capturing magnetic stripe track information during transaction processing, including card numbers, expiration dates, internal verification codes, and occasionally cardholder names. No evidence suggested compromise of other customer information beyond payment card track data. Affected restaurants included Babbo, Becco, Casa Mono, Del Posto, Esca, Felidia, Lupa, Otto Enoteca e Pizzeria, and Tarry Lodge, each maintaining individual websites where patrons could verify exposure periods specific to that location.

B&BHG removed the malware from all impacted systems following the investigation's conclusion and initiated security enhancements to better protect payment card data. The company coordinated with payment card networks to notify issuing banks about potentially compromised accounts. Customers received instructions to review card statements for unauthorized charges and contact their card issuers immediately regarding suspicious activity, with issuers typically bearing liability for timely-reported fraudulent transactions under network rules. B&BHG established a dedicated phone line (888-604-3388) operational on weekdays from 9:00 a.m. to 9:00 p.m. EDT for incident-related inquiries, supplementing restaurant-specific website information about protective measures. The incident remained confined to POS systems at the identified restaurants, with no indication of broader network compromise or theft of non-payment card customer data.