Et tu, Chilis? Data breach compromises payment card data
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Et tu, Chilis? Data breach compromises payment card data

The chain restaurant reports the breach occurred between March and April 2018

Between March and April of 2018, Chili’s restaurants were hit by a data breach that may have compromised some guests’ payment card information. The breach was discovered last Friday, according to a press release by Brinker International, which owns the 1,600+ location chain.

Per Chili’s press release:

♬ Hey you got maybe hacked, maybe-hacked, maybe-hacked ♬
♬ Hey you got maybe hacked, maybe-hacked, maybe-hacked ♬
♬ Chili’s got hacked, baby, hacked ♬

Ok, I’m going to level with you. That wasn’t the press release. And I will probably never get a PR job with Chilis. But seriously, how could you even be mad at that?

Back to business, though. Here is what happened:

On May 11, 2018, we learned that some of our Guests’ payment card information was compromised at certain Chili’s restaurants as the result of a data incident. Currently, we believe the data incident was limited to between March – April 2018; however, we continue to assess the scope of the incident. We deeply value our relationships with our Guests and sincerely apologize to those who may have been affected.

Chili’s immediately launched into its response plan and is currently working with third-party forensic experts to investigate exactly what happened.

Based on the information currently available, it appears as though malware was used to collect payment card information, specifically credit and debit card numbers and cardholder names, used during in-restaurant purchases at affected restaurants.

Chili’s does not collect certain personal information (such as social security number, full date of birth, or federal or state identification number) from Guests. Therefore, this personal information was not compromised.

Chili’s suggests that all customers monitor their bank accounts for any unauthorized transactions. So far the complete scope of the breach is not known, including how many restaurants were affected and how many customers had their data compromised. The restaurant will continue to issue updates as they become available.

Overall, Chili’s handled this situation with aplomb. We’ve reached a point where, for big companies, data breaches aren’t a matter of if, they’re a matter of when. Chili’s had a contingency plan in place, it disclosed the breach within 72 hours of its discovery (something that would make GDPR compliance specialists proud) and the company is communicating clearly and giving customers actionable advice to help ensure that they aren’t negatively impacted.

All in all, at least externally, Chili’s has handled itself fine here. Besides, a data breach is not what keeps successful chain restaurants up awake at night. Millennials are.

As always, leave any comments or questions below.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.