Data from as many at 567,000 customer payment cards may have been exposed in a cyberattack on the point-of-sale system at some Cheddar’s Scratch Kitchen restaurants, parent Darden Restaurants Inc. says.
The Orlando, Fla.-based casual-dining company said federal authorities notified it that hackers may have targeted legacy POS systems at Cheddar’s in 23 states.
“We believe that payment card information, including card numbers, from guests who visited the affected Cheddar's restaurants between Nov. 3, 2017, and Jan. 2, 2018, may have been exposed,” the company said in a news release Wednesday. “We estimate the exposure to be 567,000 payment card numbers; however, we continue to assess the scope of the incident.”
Cheddar’s has added a page to its brand website that details the suspected data breach.
“Upon being notified of this incident, we activated our response plan and we engaged a third-party forensic cybersecurity firm to investigate,” the company said. “Our current systems and networks were not impacted by this incident. In fact, this incident occurred on a legacy Cheddar's system that was permanently disabled and replaced by April 10, 2018, as part of our integration process.”
Darden bought Cheddar’s in April 2017 from private-equity groups L Catterton and Oak Investment Partners in a $780 million all-cash deal, and the company has been integrating the brand into its portfolio, which also includes Olive Garden and LongHorn Steakhouse.
“The trust our guests place in us is something we take very seriously, and we regret that this incident occurred,” Darden said.
The company has arranged to provide identity protection to those who may have been impacted by the incident.
Darden said the breach may have impacted Cheddar's restaurants in Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia and Wisconsin in the Nov. 3 to Jan. 2 timespan.
Other restaurant brands have reported recent data breaches, including a hacking incident at Dallas-based Chili’s Grill & Bar between March and April and another at Tampa, Fla.-based PDQ between May 2017 and April of this year.
As of May 27, Cheddar’s had 156 restaurants.
Contact Ron Ruggless at [email protected]
Follow him on Twitter: @RonRuggless