It’s the conversation that no restaurant or hotel owner wants to have with one of its customers: “my credit card has some mysterious charges on it, and I believe that they stem from your business.” That’s exactly what happened to Blanca Aldaco, owner of Aldaco’s Mexican Cuisine at Stone Oak in San Antonio, Texas.
“I remember everything just like it happened today,” says Aldaco, as she recalls the day when a customer came into the restaurant to inform her of some unauthorized charges to his card. “I listened to his speak and then I asked him, ‘what makes you think it came from here?’ And he said, ‘well this is the only place that I used this card.” By noon on the following Saturday, the restaurant had received three similar calls from customers. “By Sunday, we had probably 70 calls,” says Aldaco.
When the Secret Service and the police department showed up at the restaurant that Wednesday morning, Aldaco was already hearing of charges from as far away as Turkey and Ireland. “It was global; it wasn’t just in the United States,” she says. In the United States, the majority of the stolen card numbers were being used at Walmart and Target.
When all was said and done, roughly 5,100 credit cards were compromised (although not all of them had fraudulent charges), as a result of an overseas hacker who infiltrated the restaurant’s network with a sophisticated malware between March 21 and May 17, 2010. “Basically what they did was install a malware memory dumper, so every time we swiped, it was going into an imaginary pocket and it would stay there until they extracted it,” says Aldaco.
But how would such an incident affect restaurant patrons? A September 2010 telephone survey of more than 1,000 U.S. adults by Harris Interactive on behalf of Cintas found that 76 percent would not return to a restaurant that they ate at if their personal information was stolen. Yet despite this data breach, Aldaco’s says that is has experienced the exact opposite due to its openness with its customers. To inform customers, the restaurant released a statement on its website, posted updates on its Facebook page, and maintained an active conversation with the media. Even though the restaurant had been breached, customers continued to return. “’We know [about the breach], we’re still here to support you.’ That’s what I kept hearing,” says Aldaco in reference to her conversations with guests over the following weeks. “You can’t cover it up. Speak with clients and be honest. Let people know what you are going through, you were victimized as well.”
Aldaco also related the frustration that she felt about not knowing enough about PCI. “There is no education, nobody tells you about this until it explodes in your face,” she says. “Make sure that you don’t have any stored data, call your POS seller and make sure that you are up-to-date. And if you are lucky enough to have an IT guy, get going.”
You are not alone
Although Aldaco’s brush with a data breach was frustrating for the restaurant’s management staff and its patrons alike, their story is not anything new to hospitality. The hospitality industry has long been a victim of data breaches for a number of reasons. Here are seven other hospitality organizations that suffered the same fate as Aldaco’s last year:
Wyndham Hotels & Resorts: In February 2010, Wyndham Hotels & Resorts issued an open letter to their guests informing them that certain Wyndham brand-franchised and managed hotel computer systems had been compromised by a hacker, resulting in the unauthorized acquisition of customer names and credit card information. The hacker was able to infiltrate central network connections to move information to an off-site URL before the hotel company discovered the intrusion in late January 2010. The breach was believed to have occurred between late October 2009 and January 2010.
Julie’s Place: This Tallahassee eatery was identified by the Leon County Sherriff’s Office Financial Crimes Unit as the source of card compromises for more than 100 consumer accounts over the summer of 2010. It is estimated that the incident resulted in $200,000 is fraud losses. According to BankInformationSecurity.com, the hackers targeted the restaurant’s point of sale system, somewhere between the network and the restaurant’s processor.
Destination Hotels & Resorts: Back in June, Destination Hotels & Resorts reported that the credit cards of guests who stayed at 21 of the company’s hotels may have been compromised. In a press release, the company said that it uncovered a malicious software program that was inserted into its credit card system from a remote source, affecting only credit cards that were physically swiped.
HEI Hospitality: In September 2010, HEI Hospitality, owner and operator of a number of Marriott-branded and Starwood Hotels & Resorts, informed the New Hampshire Attorney General’s Office and its customers of a compromise to its IT systems, occurring from March 25-April 17. HEI sent letters to some 3,400 customers, informing them that their credit cards may have been compromised. According to DataBreaches.net, the firm informed customers that they believed that the point of sale system used in a number of its hotels’ restaurants, bars, and gift shops, as well s the information management system used at check-in, were illegally accessed and transaction were intercepted.
Taco Bell:In late September, The Grand Rapids Pressreported on a credit card skimming scheme that that involved Taco Bell employees and two other individuals, Rodger Torres and Onil Rivas-Perez. Police say that the men used the card numbers to purchase pre-paid Visa gift card from three Meijer stores.
Broadway Grill: More than 1,000 credit and debit cards may have been compromised in an attack that occurred in late October on the Seattle Capitol Hill area restaurant, Broadway Grill. Officials say that the credit card data was stolen on October 22, and that the forensic trail leads overseas. The hacker, who was able to access the restaurant’s point of sale system.
McDonald’s: In early December, McDonald’s said that some of its customers may have been exposed during a data security breach when a hacker gained access to a third-party-managed database containing customer information, including: e-mail, phone numbers, addresses, birthdays and more. According to the company’s website, customers’ credit card information and Social Security numbers were not compromised.