Cyber Incident Victim: Catch Hospitality Group
Date:
Mar 2019
Location:
United States of America
Summary
A hospitality group experienced a malware infection on point-of-sale systems at three New York City restaurants, enabling attackers to harvest payment card data from customers. The malicious software captured magnetic stripe track information, including card numbers, expiration dates, verification codes, and occasionally cardholder names. The compromise affected patrons who visited the establishments during specific operational periods prior to remediation. Stolen data could facilitate fraudulent transactions, necessitating vigilance for unauthorized charges on impacted payment cards.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Catch Hospitality Group disclosed a payment card security incident affecting its New York City restaurants Catch NYC, Catch Rooftop, and Catch Steak. Point-of-sale (POS) systems at these establishments were infected with malware designed to steal customer credit card information. The malware operated at Catch NYC and Catch Rooftop from March 19, 2019, through October 17, 2019. For Catch Steak, which opened September 18, 2019, the compromise period spanned September 17 to October 17, 2019. The company publicly acknowledged the breach on November 23, 2019, through a payment card incident notice. Attackers deployed malware capable of harvesting track data stored on credit cards' magnetic stripes during processing.
The malware captured credit card numbers, expiration dates, and internal verification codes from infected POS devices. In some instances, customer names were also exfiltrated when present in the track data. The breach exposed payment cards used during the specified timeframes at all three locations. Catch Hospitality Group notified potentially affected customers to review credit card statements from the relevant periods and monitor future statements for unauthorized transactions. The company advised individuals to contact their card issuers immediately upon discovering suspicious charges. No specific details regarding malware detection methods, containment procedures beyond the October 17 endpoint, or attacker attribution were disclosed in the public notice.