One of the most popular U.S. drive-through restaurants has been hit with a data breach due to POS malware.

The popular Checkers and Rally’s drive-through restaurant chain was attacked by Point of Sale (POS) malware impacting 15 percent of its stores across the U.S.

Checkers is one of the largest drive-through restaurants in the U.S., operating in 28 states and headquartered in Tampa, Florida.

The security incident stemmed from cybercriminals breaching Checkers’ systems and installing malware on point of sale systems across more than 100 of its stores. The malware is designed to collect data stored on the magnetic stripe of payment cards, including cardholder name, payment card number, card verification code and expiration date.

“We recently became aware of a data security issue involving malware at certain Checkers and Rally’s locations,” said Checkers on a Wednesday website advisory. “After discovering the issue, we quickly engaged leading data security experts to conduct an extensive investigation and coordinated with affected restaurants and federal law enforcement authorities to address the matter.”

A Checkers spokesperson did not immediately respond to a request for comment from Threatpost. Based on the investigation, no evidence that data other than cardholder information was affected by this issue, Checkers said.

The incident impacted 102 stores Checkers across 20 states – which were all exposed at varying dates, including as early as December 2015 to as recently as April 2019 (a full list of impacted stores is on Checkers’ data breach security advisory page).

“Checkers’ statement indicates that this has been a long standing breach, with the earliest declared exposures going back to 2015,” Hardik Modi, senior director of Threat Intelligence at NETSCOUT, told Threatpost. “However, the majority of exposures began in 2018, suggesting the adversary achieved successful propagation across the internal network. POS malware has been very popular across the cybercrime space and the restaurant and hospitality industry in particular has been pillaged over the past 5 years, often by the same groups.”

While Checkers did not specify when it first discovered the POS malware, it said it worked closely with the third-party security experts to contain and remove the malware.

Checkers urged customers to review their account statements and order a credit report.

POS malware targets point of sale terminals and controllers; and enable remote attacks against card-present retail transactions are conducted. According to Verizon’s Data Breach Investigations Report, there has been a continual reduction in breaches involving point of sale environments and card skimming operations: With POS malware incidents falling from 63 percent of all retail breaches in 2014 to a mere 6 percent in 2018.

Despite that, POS continues to plague retail, restaurant and other types of stores.

“Point-of-sale security is proving to be an enormous challenge as attackers increasingly target the hospitality industry in hopes of accessing sensitive payment data,” Fred Kneip, CEO of CyberGRX, told Threatpost. “The Checkers/Rally’s incident is the most recent in a history of attacks targeting similar companies like Applebee’s, Wendy’s and Sonic. Third-party attacks are commonplace and restaurants must have dynamic visibility into the business exposure and cyber risk posed by their extended ecosystem so they can identify and mitigate security gaps that serve as open invitations to malicious actors.”

Last year, POS malware was found impacting 160 Applebee’s stores across the U.S. Other impacted stores have included fashion retailer Forever 21, and Intercontinental Group, which said their payment card systems had been breached. The Hard Rock Hotels and Casinos franchise also was stung by POS malware that managed to infect the chain’s inventory management SaaS application.

Despite these breaches, “the main mitigation has been the EMV compliance regulations which provide additional security for card-present transactions and have broadly been seen to reduce large scale POS based breaches,” Modi told Threatpost. “The fact that Checkers references magnetic stripe data in their statement is highly suggestive that these locations have continued to accept card swipe transactions, contributing to this exposure. Using EMV compliant transaction methods and terminals is the best mitigation for consumers and businesses alike. Franchise and chain businesses will always present a juicy target and monitoring for malicious activity can be the difference between a single store breach or a large scale incident such as this one.”