Hundreds of well-known U.S. restaurants hit by card-stealing malware

The sign outside a Bubba Gump Shrimp Co. restaurant at the Universal Studios Hollywood theme park in Universal City, California.
The sign outside a Bubba Gump Shrimp Co. restaurant at the Universal Studios Hollywood theme park in Universal City, California. (Image credit: Pe3k/Shutterstock)

Landry's, a Houston-based owner and operator of restaurant chains across North America, kicked off the New Year by disclosing Tuesday (Dec. 31) that its payment systems had been infected by credit-card-stealing malware for most of 2019.

However, the malware could have stolen the card data only if waitstaff mistakenly ran customer credit cards through restaurant food-and-drink order-placement systems instead of credit-card readers, Landry's said in a notice posted on the company website

Both systems allow waitstaff to swipe magnetic-stripe cards through card readers, but Landry's said no card numbers could have been stolen from its payment-card system despite the infection. Landry's implemented a fully encrypted payment-card system in 2016 following an earlier spate of payment-card theft, according to the Houston Chronicle.

"The general timeframe when data from cards mistakenly swiped on the order-entry systems may have been accessed is March 13, 2019 to October 17, 2019," the company notice states. "At a small number of locations, access may have occurred as early as January 18, 2019."

What to do

The company did not estimate how many customer credit and debit cards may have been compromised, but anyone who dined or drank at a Landry's-owned establishment during that time period should check their card statements and immediately report anything unusual to the card issuer. 

Landry's operates establishments under 60-odd brand names, including The Boathouse, Blue Water Grill, Bubba Gump Shrimp Company, Claim Jumper, Del Frisco's Double Eagle Steak House, Del Frisco's Grille, Dos Caminos, Joe's Crab Shack, McCormick & Schmick's, Mitchell's Fish Market, Morton's The Steakhouse, Rainforest Cafe and Vic & Anthony's Steakhouse. It also operates the Golden Nugget casinos in Las Vegas, Atlantic City, Laughlin, Nevada and Lake Charles, Louisiana. A full list of Landry's properties is here.

Concerned customers can call Landry's toll-free at 1-833-991-1538 from 8:00 a.m. to 8:00 p.m. Central Standard Time, Monday through Friday. The company has not said whether it will offer identity-protection services to affected customers.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.