500,000 Cheddar's Scratch Kitchen customers involved in possible credit card data theft

Customers of the restaurant chain need to keep an eye on their bank accounts as their information may be up for sale.
Written by Charlie Osborne, Contributing Writer

Customers of Cheddar's Scratch Kitchen restaurants in 23 states are being warned that their credit card information may have been exposed in a suspected data breach.

On Thursday, Darden Restaurants, which acquired the restaurant chain last year, said that federal authorities warned the company of a security incident on August 16.

Information belonging to guests of Cheddar's Scratch Kitchen visiting between November 3, 2017, and January 2, 2018, may have been compromised. The leak potentially includes payment card information and card numbers.

In total, 567,000 customers are believed to be affected, but as the company is still investigating, this number may rise in the future.

Cheddar's restaurants located in Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia and Wisconsin are involved in the suspected data breach.

Darden said that the data breach may have occurred due to old, legacy point-of-sale (PoS) systems. After the acquisition, improvements were made and this included the permanent removal of the old system in April.

Therefore, the same attack vector cannot be used in the future to compromise more customer information. Current systems are not believed to be affected.

CNET: Equifax's data breach by the numbers: The full breakdown

Once notified of the breach, Darden brought in an external cyberforensics firm to discover the extent of the data leak. The investigation is ongoing.

"The trust our guests place in us is something we take very seriously, and we regret that this incident occurred," Darden says. "We deeply value our relationships with our guests, and our priority is to assist those who may have been impacted by this incident."

Customers that notice any suspicious activity in their bank accounts or on their credit reports are asked to get in contact with the company to enroll in a free identity protection service.

See also: Mexicans served with Dark Tequila in spyware spree

According to a recent report issued by Armor's Threat Resistance Unit (TRU), credit card numbers are valuable assets in the Dark Web, but the underground is "awash" with such information.

TechRepublic: A data breach may be more expensive than you think, thanks to these hidden costs

As a result, while cloned cards and identity theft can cause serious heartache for the victim, credit card information does not sell for as much as you may think. Armor says an average credit card can sell for as little as $10.

A basic guide to diving in to the dark web

Previous and related coverage

Editorial standards