Best American Hospitality Corp. issued the following statement regarding stolen payment cards at some of the restaurants it manages and operates:
Best American Hospitality Corp. commenced an investigation after receiving a report that some payment card numbers that were used at restaurant locations it manages and operates (some of Shoney's corporate affiliated restaurants) had been stolen. Best American Hospitality Corp. hired Kroll Cyber Security, LLC, a leading cyber security investigation firm, to examine the payment card processing systems for all restaurants on its network.
Kroll's findings show that malware was installed remotely on point of sale equipment that processed payment cards used at some of the restaurants. The malware searched for track data (cardholder name, card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected computer.
Based on the investigation, Kroll determined that some of the restaurants were subject to initial data breach from December 27, 2016 (the date of first breach varies by location), until the malware was contained on March 6, 2017. In some instances, the malware appears to have identified data from the card's magnetic stripe that included the cardholder name and number and in other instances the card data identified by the malware did not appear to include the cardholder name. It is possible that not every cardholder name was identified.
A list of the affected restaurants, along with the specific date of first breach (which varies by restaurant) is located at www.bestamericanhospitality.com. This page also contains more information on steps guests may take to protect their information. It is always advisable to remain vigilant to the possibility of fraud by reviewing payment card statements for any unauthorized activity and checking credit reports with credit bureaus including Equifax, Transunion and Experian, which offer free credit reports annually.
Affected guests should immediately report any unauthorized charges to the card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of payment cards.
Best American Hospitality Corp. has been working with Kroll Cyber Security, LLC to review its security measures, confirm that this issue has been remediated, and evaluate ways to enhance its security measures. Best American Hospitality Corp. is working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring on the affected cards.