Cyber Incident Victim: Focus Brands
Date:
Apr 2019
Location:
United States of America
Summary
A cybersecurity incident impacted multiple U.S. restaurant chains under a single parent company, involving point-of-sale malware that stole customers' payment card data during in-person transactions. The malware captured magnetic stripe information including card numbers, expiration dates, and verification codes, with cardholder names also compromised in some instances. Unauthorized access affected corporate and franchised locations across the brands for varying durations, with most locations experiencing only weeks of exposure before the intrusion was terminated. While not all outlets were compromised, the company provided online tools for customers to verify affected locations. The breach was publicly disclosed approximately one month after malicious activity was contained, with payment card data subsequently appearing for sale in criminal markets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April and July 2019, multiple U.S. restaurant chains owned by Focus Brands—McAlister’s Deli, Moe’s Southwest Grill, and Schlotzsky’s—experienced a cybersecurity incident involving point-of-sale (PoS) malware that compromised customer payment card data. The breach began earliest at Schlotzsky’s locations on April 11, 2019, followed by Moe’s and McAlister’s on April 29. Attackers deployed malware on payment systems to capture card information from magnetic stripes as transactions were processed. The compromised data included card numbers, expiration dates, internal verification codes, and in some instances, cardholder names. The malware operated undetected until Focus Brands terminated the intrusion on July 22, 2019, though its presence varied across locations; most affected sites experienced exposure for only a few weeks in July, and not all corporate or franchised restaurants were impacted. The incident affected a subset of the chains’ combined 1,500 U.S. locations, with no public list identifying compromised sites.
Focus Brands initiated an investigation and removed the unauthorized code upon discovery. On August 20, 2019, the company notified customers of the breach and provided an online lookup tool to determine if specific visited locations were affected. The malware’s design targeted payment card data during in-person transactions, indicating a focused effort to harvest financial information for resale. While the duration of compromise was shorter than a contemporaneous breach at Hy-Vee (unrelated to Focus Brands), the incident exposed customers across multiple states to potential fraud. No further operational disruptions or long-term system damage were disclosed, but the theft underscored persistent risks associated with PoS systems, which remained lucrative targets due to the resale value of card data. Focus Brands did not disclose the number of impacted individuals or additional remediation steps beyond the lookup tool and initial alerts.