Landry's, a Houston-based owner and operator of restaurant chains across North America, kicked off the New Year by disclosing Tuesday (Dec. 31) that its payment systems had been infected by credit-card-stealing malware for most of 2019.
However, the malware could have stolen the card data only if waitstaff mistakenly ran customer credit cards through restaurant food-and-drink order-placement systems instead of credit-card readers, Landry's said in a notice posted on the company website.
Both systems allow waitstaff to swipe magnetic-stripe cards through card readers, but Landry's said no card numbers could have been stolen from its payment-card system despite the infection. Landry's implemented a fully encrypted payment-card system in 2016 following an earlier spate of payment-card theft, according to the Houston Chronicle.
"The general timeframe when data from cards mistakenly swiped on the order-entry systems may have been accessed is March 13, 2019 to October 17, 2019," the company notice states. "At a small number of locations, access may have occurred as early as January 18, 2019."
What to do
The company did not estimate how many customer credit and debit cards may have been compromised, but anyone who dined or drank at a Landry's-owned establishment during that time period should check their card statements and immediately report anything unusual to the card issuer.
Landry's operates establishments under 60-odd brand names, including The Boathouse, Blue Water Grill, Bubba Gump Shrimp Company, Claim Jumper, Del Frisco's Double Eagle Steak House, Del Frisco's Grille, Dos Caminos, Joe's Crab Shack, McCormick & Schmick's, Mitchell's Fish Market, Morton's The Steakhouse, Rainforest Cafe and Vic & Anthony's Steakhouse. It also operates the Golden Nugget casinos in Las Vegas, Atlantic City, Laughlin, Nevada and Lake Charles, Louisiana. A full list of Landry's properties is here.
Concerned customers can call Landry's toll-free at 1-833-991-1538 from 8:00 a.m. to 8:00 p.m. Central Standard Time, Monday through Friday. The company has not said whether it will offer identity-protection services to affected customers.