VIRTUAL VISION 2020 • Sept 30 - Oct 1

Chili’s Data Breach

I thought I had a bad weekend.  Then I heard about the Chili’s Data Breach.

Turns out Brinker International had issues that far outweigh the problems from sleeping on a 10-year-old mattress. The parent company of the Dallas-based Chili’s Bar & Grill said it learned of a data breach on Friday that included payment card information possibly being compromised between March and April of this year.

Brinker International responds to the Chili’s data breach

According to a press release on Brinker International’s website, the company said the following:

Based on the details of the issue currently uncovered, we believe that malware was used to gather payment card information including credit or debit card numbers as well as cardholder names from our payment-related systems for in-restaurant purchases at certain Chili’s restaurants. Currently, we believe the data incident was limited to between March – April 2018; however, we continue to assess the scope of the incident.

Chili’s does not collect certain personal information (such as social security number, full date of birth, or federal or state identification number) from Guests. Therefore, this personal information was not compromised.

Brinker apologized to those who may be affected and said it is working with third-party forensic experts to investigate. “We sincerely apologize to those who may have been affected and assure you we are working diligently to resolve this incident,” Brinker said in a written statement on its website.

Additional information about the breach can be found on the Brinker International site.

Brinker International shares so far are down 0.87% as a result.

Upon further investigation, I found that Brinker International recently brought on a company called Red Hat solutions to offer support for its guests across its mobile app, website, in-restaurant table kiosks, and curbside dining. By using Red Hat solutions, according to their website, “Brinker built a unified e-commerce environment to support faster development and deployment, scale to meet peak traffic demands, and ensure the protection of guest data.”

Red Hat published a Brinker International case study shortly thereafter and stated that, “This is a guest-facing platform that takes credit card transactions, so it’s got to be highly secure… with a Red Hat-based container, we know it’s from a trusted partner and know it meets all PCI [Payment Card Industry] requirements, while letting developers and other internal users to spin up environments quickly.”

Could the Chili’s data breach have been prevented?

Not to place blame, and this is highly speculative, but did Brinker International or Chili’s themselves drop the ball by not fully utilizing its tools? With Red Hat meeting the requirements of PCI compliance, did Brinker or Chili’s overlook something? Too many false positives? How vulnerable were they? Was payment information shared and stored somewhere it shouldn’t have been? Obviously without any information provided from the forensic investigation, it’s all speculation at this point. But it just goes to show how important it is to have all of your ducks in a row. There is no substitute for having your I’s dotted and your T’s crossed when it comes to data protection. I’m sure there’s another cliché I could come up with, but I think you get the point.

Data breaches have been all too common in today’s cybersphere. A series of notable and massive data breaches occurred last year. Equifax, Uber, the Dallas emergency siren network and state election systems were just a few of the targets of successful hacks.