Cyber Incident Victim: Eataly
Date:
Jan 2015
Location:
United States of America
Summary
Eataly experienced a payment card data breach at its New York City retail marketplace, where malware infiltrated systems to capture transaction data in real-time over nearly four months. The incident exclusively affected the retail location, sparing on-site restaurants and other global operations. Compromised information included financial card details from purchases made during the affected period. The organization engaged external forensic experts to investigate, neutralize the malware, and confirm containment. Impacted customers were offered complimentary fraud resolution and identity protection services through a dedicated communication channel.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2015, Eataly's New York City Retail Marketplace experienced a data breach compromising payment card information from transactions occurring between January 16 and April 2 of that year. The company confirmed the incident publicly on June 5, 2015, clarifying that only their NYC retail marketplace operations were affected, excluding their on-premise NYC restaurants and other international locations. Malware installed on Eataly's systems captured payment card data in real time during the nearly four-month window, though the company emphasized they do not store payment information internally. The breach potentially exposed financial data from all cards used at the marketplace during this period, putting customers at risk of fraudulent activity. Eataly initiated an investigation with assistance from external forensic experts who identified and neutralized the malicious software. Company statements confirmed the containment of the situation following malware eradication, with no evidence suggesting broader system compromise beyond the specified timeframe or locations.
The breach investigation revealed no impact on Eataly's restaurant point-of-sale systems or global operations outside the NYC marketplace. Affected customers were advised to monitor their financial statements for unauthorized transactions and offered complimentary fraud resolution services through a dedicated email address (eataly[at]protectmyid[dot]com). Eataly's public disclosure did not specify the exact number of compromised accounts but acknowledged all marketplace transactions during the 77-day exposure window as potentially affected. Forensic analysis confirmed the malware's functionality was limited to intercepting live transaction data rather than accessing stored records. The company maintained transactional operations throughout the containment process, implementing additional security measures following the incident. No further breaches or related malware activity were reported by Eataly following the April 2 containment date.