Checkers and Rally's data breach exposed customer credit card details

15% of Checkers and Rally's drive-through restaurants were affected by PoS malware that allowed hackers to steal customer credit card details

Checkers and Rally's data breach exposed customer credit card details after hackers planted malware on its systems

One of the most abundant United States' fast food drive-through chains Checkers and Rally's was hacked, resulting in its customers' credit card information exposure. According to the notice posted on its official website,^[1] hackers managed to insert malware into payments processing systems, which affected 15% of the chain's restaurants across the United States – 102 out of 900.

The notice was published on 29th of May, and explained that Checkers and Rally's is working on the investigation:

We recently became aware of a data security issue involving malware at certain Checkers and Rally’s locations. After discovering the issue, we quickly engaged leading data security experts to conduct an extensive investigation and coordinated with affected restaurants and federal law enforcement authorities to address the matter. We have worked closely with the third-party security experts to contain and remove the malware.

The PoS (point-of-sale) malware^[2] used by hackers allowed them to harvest the details via the credit cards' magnetic stripes and included cardholders' full name, card number, card verification code, and expiration date. This is all the data needed to make purchases online – so threat actors can easily sell it on the Dark Web for profits.

Nevertheless, other sensitive details, like home address, Social Security numbers, Government-issued IDs, or other data that is required during the bank account creation, was not impacted.

Not all the affected restaurants' customers were affected

The duration of malware's presence within Checkers' systems varies from restaurant to restaurant. The earliest infection was dated September 2016, while some other restaurants were impacted from 2017. However, most locations were affected between 2018 and early 2019, which lasted till April 2019, when the company discovered the breach.^[3]

The affected restaurants are located in Florida, California, Alabama, New York, Virginia, Ohio, Kentucky, Georgia, and many other major US states. The advisory also details precise addresses of the restaurants, so users can make sure if they were affected. Nevertheless, the company said that, based on the evidence acquired during the investigation, not all the customers who visited the listed restaurants were affected by data theft.

Currently, the corporation cannot segregate the affected and unaffected users, but considering how long the restaurants were impacted by PoS malware, there is a high chance that the count would reach millions of customers across the US.

Take measures to avoid identity theft

Checkers said that it informed the law enforcement and contacted the third-party forensic investigators to deal with the issue and are working on improving its security systems. While the number of affected customers is still unknown, the company is encouraging people to take steps to avoid money loss from the bank account and identity theft:

To protect yourself from possible identity theft, consider placing a fraud alert or security freeze (also known as a “credit freeze”) on your credit file. A fraud alert helps protect you against the possibility of an identity thief opening new credit accounts in your name. <…>

A security freeze is designed to prevent potential creditors from accessing your credit file at the consumer reporting agencies without your consent. Unlike a fraud alert, you must place a security freeze on your credit file at each consumer reporting agency individually.

Data theft is becoming serious issue and affects thousands of companies worldwide. While some breaches can be minor or successfully prevented, attacks like those conducted Equifax, Marriott International,^[4] MyFitnessPal, First American,^[5] and many others prove that corporations still have a lot to learn when it comes to protecting the personal information of people who provided it to them willingly.