Landry's Inc. has finally revealed more details on the credit card breach that affected 500 of its restaurants. Following its investigation into the data breach, which came to light in December, the parent company of Morton's the Steakhouse, Rainforest Cafe, Salt Grass Steakhouse, McCormick & Schmick's, and numerous other chains has published a list of all the affected locations along with date ranges to help customers identify whether or not their information may have been compromised.
The company's newly released intel reveals that diners who patronized its restaurants going back as far as March 2014 were put at risk. "Findings from the investigation show that criminal attackers were able to install a program on payment card processing devices at certain of our restaurants, food and beverage outlets, spas, entertainment destinations, and managed properties," the company's accompanying statement reads. "The program was designed to search for data from the magnetic stripe of payment cards that had been swiped (cardholder name, card number, expiration date and internal verification code) as the data was being routed through affected systems."
The statement also advises customers on what to do if they think they may have been affected: "If you used a card at an affected location during its at-risk window, we recommend that you remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner."
While most credit cards have no time limit on when customers can report unauthorized charges and not be held liable for them, things are a bit more tricky for diners who may have paid with a debit card: According to federal consumer protection laws, consumer liability for fraudulent debit card transactions depends on how quickly the unauthorized usage is reported. Even if your debit card wasn't physically stolen — as in the case of diners who may have had their card data compromised at a Landry's restaurant — you could be held liable for unauthorized charges if you don't report them within 60 days of receiving the bank statement containing said charges.
Fortunately, just because you ate at a Bubba Gump Shrimp Co. location during the specified time periods doesn't necessarily mean you were a victim of credit card fraud. "If you patronized an affected Landry’s property any time during the dates the company experienced a data breach, the chances that your credit card was involved are very, very high," says Brad Cyprus, chief of security and compliance at Netsurion, a company that provides remotely-managed security services for chains. "However, as we learned from the black market reaction to Target’s massive breach, there is a lower chance that your card will be used, due to the glut of available records — there are simply not enough criminals to exploit every card."
Plenty of other big restaurant chains have been hit with large-scale data breaches in recent years, including Jimmy John's and P.F. Chang's. Just last week it was revealed that customers at up to 6,000 locations of fast food chain Wendy's may have had their credit card data compromised. While many people have stopped carrying paper currency in favor of using credit or debit cards due to convenience or perceived safety, paying for dinner or retail purchases in cold-hard cash might be a wise decision — especially if you're patronizing the kind of large chains that data thieves like to target.