Chili's says customer names and credit card numbers were exposed
f you've eaten at Chili's restaurants within the past two months, then you might want to check your credit report and card statements.
Chili's parent company Brinker International announced over the weekend that customers' payment information was exposed in a recent malware attack.
Brinker did not disclose how hackers gained unauthorized access to its systems, how many customers or restaurants were targeted, or the exact dates when the personal data may have been exposed.
"While the investigation is still ongoing, we believe that malware was used to gather payment card information, including credit or debit card numbers and cardholder names, from our payment-related systems for in-restaurant purchases at certain Chili's restaurants," Brinker said in a statement Saturday.
Brinker said that Chili's does not collect social security numbers, dates of birth or state identification numbers full date of birth, so that data was not compromised.
The Dallas-based company is the latest restaurant to disclose a data breach. Last month Panera Bread acknowledged that data of some customers including names, addresses and the last four digits of credit card numbers were vulnerable on its website for at least eight months. And earlier this year Applebee's found malware on its payment systems in 167 locations across 15 states, potentially exposing customer credit card data. The barrage of data breaches at restaurants and other businesses highlights the heightened risks of identity theft, and the continued vulnerabilities presented by payment systems, databases of customer information, and mobile apps.
Brinker said it first learned of the breach on Friday, the same day it first disclosed the breach. The company said it has notified law enforcement agencies and is working with independent experts to investigate and determine which customers were affected.
While it's not clear how many of Chili's 1,600 locations were affected, the company still urged customers "out of an abundance of caution" to take steps to protect their information. Those recommendations included placing a fraud alert on your credit file with the three national credit reporting agencies, Equifax, Experian and TransUnion and reviewing personal bank account information for suspicions activity. The company is also working to provide credit monitoring and fraud resolution service for the customers that may have had their data stolen, the company said.
"We sincerely apologize to those who may have been affected and assure you we are working diligently to resolve this incident," the company said in its Friday notice.
The company didn't immediately respond to a request for comment Monday, May 14.Story by Hamza Shaban. Shaban is a technology reporter for The Washington Post. Previously, he covered tech policy for BuzzFeed.