Skip navigation
Elephant Bar reports possible data breach

Elephant Bar reports possible data breach

Malware found in payment processing system

CM Ebar LLC, parent to the Elephant Bar restaurants, warned customers who used credit cards at the 29-unit chain between August and December that their data may have been breached, the company said Tuesday.

The casual-dining operator said it was alerted to the potential security breach on Nov. 3, and it has investigated and removed the suspected computer malware that lead to the possible incident.

“Based upon an extensive forensic investigation, it appears that unauthorized individuals installed malicious software on our payment processing systems at certain locations designed to capture payment card information,” the company said in a statement.

Elephant Bar has locations in Arizona, California, Colorado, Florida, Missouri, Nevada and New Mexico. The dates of the possible breach are Aug. 12 to Dec. 4.

CM Ebar LLC is owned by the Dallas-based Chalak Mitra Group, which also owns the Genghis Grill chain. Chalak Mitra acquired Elephant Bar in August 2014 in bankruptcy proceedings of the prior owner, Costa Mesa, Calif.-based S.B. Restaurant Co.

A representative for CM Ebar said the possible data breach included 20 restaurants in California, three in Colorado, two in Arizona and one each in the remaining states where it operates. A complete list of the restaurants is available at a microsite dedicated to the incident.

“We believe the malware could have compromised payment card data — including name, payment card account number, card expiration date and verification code — of customers who used a payment card at the affected locations,” the company said.

The company said it recommended that customers review credit and debit card account statements to determine if there are any discrepancies or unusual activity listed.

“We urge customers to remain vigilant and continue to monitor statements for unusual activity going forward,” the company said.

The company said the incident did not include Social Security numbers, addresses or other sensitive personal information.

Contact Ron Ruggless at [email protected].
Follow him on Twitter: @RonRuggless

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.