Chili’s Takes the Hit on Malware This Time

May 16, 2018         By: Steven Anderson

Recently, I went back to Chili’s after an unpleasant experience that I like to call “the day they ruined their fajitas.”  Promises of improved fajitas were made, and mostly kept, though not as far as I’d have liked. Anyway, about the time Chili’s was improving its fajita recipe, hackers were likewise improving their own game, and proved as much by giving Chili’s a data breach that may well have netted card information.

A press release from Chili’s parent firm Brinker International noted that credit and debit card numbers as well as cardholder names were among the information potentially compromised. Thankfully, Chili’s doesn’t collect a lot of sensitive data like social security numbers, so the damage is limited.

To Chili’s credit, it first found out about the breach on Friday, May 11, and announced it over the weekend. It took a while to spot that breach as it had run between March and April of 2018—it’s still working to figure out just how deep this rabbit hole goes—but when it knew about it, it told customers in short order.

It also promptly got to work on a response plan, including notifying law enforcement officials and establishing a connection with a third-party data forensics team in a bid to find out what it can from its own records. The company also plans to offer credit monitoring and fraud resolution services for those actually affected by the breach.

The news is not as bad as it might have been. Chili’s responded about as quickly as it could—though why it couldn’t have found the breach back in March instead of mid-May is not immediately clear—and has the standard slate of risk amelioration tools ready to go. Naturally, customers should keep a watchful eye on their own accounts, but beyond that, the problem is about as fixed as it gets.

Data breaches may well be one of those inevitable new risks of dining out. Perhaps we’d all do well to set up an account specifically for such things when eating out, and keep it only minimally funded. The risk is certainly substantial, and though Chili’s is on the ball as far as responses go, the next time it may be six months before it catches on rather than somewhere between two and 10 weeks.