The Catch Hospitality Group has suffered a malware attack, a point-of-sale malware has infected systems (POS) at several restaurants of the chain.The Catch Hospitality Group has suffered a malware attack, a point-of-sale malware has infected systems (POS) at several restaurants of the chain.

Catch Hospitality Group announced that a PoS malware has infected its payment systems at NYC hotspots Catch NYC, Catch Rooftop, and Catch Steak restaurants.

The malicious code was designed to steal credit card information from customers.

The company launched an investigation after detecting the unauthorized activity on some of its payment processing systems, it also hired a cybersecurity firm to investigate the security breach.

The investigation revealed the presence of PoS malware on some of its payment systems. PoS malware is used by crooks to steal track data encoded on the magnetic stripe on credit cards, including the credit card number, expiration date, and internal verification code.

“The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card as it was being routed through these POS devices. There is no indication that other customer information was accessed.” reads the data breach notification published by Catch Hospitality Group .

Experts determined that the PoS malware was active on the payment systems in the two locations in different timeframes. For Catch NYC (including Catch Roof), the timeframe was from March 19, 2019 through October 17, 2019. For Catch Steak, the timeframe was September 17, 2019 through October 17, 2019.

Not all POS devices were infected, the company pointed out that it uses two different point-of-sale (POS) devices at its locations, one that is brought to your table by waitstaff and stationary ones at the bar and where the waitstaff enter orders. Portable POS devices are not affected because they utilize point-to-point encryption.

“The cards involved in this incident are cards used at the bar or in the rare circumstances that a card was swiped at the device where waitstaff enter orders.”

The company declared that it has removed the malware and implemented enhanced security measures for its payment systems.

Catch Hospitality Group reported the incident to its payment processor and notified the incident to law enforcement.

The company recommends customers to review their payment card statements for any unauthorized activity and urge them to immediately report any unauthorized charges to the card issuer.

Pierluigi Paganini

(SecurityAffairs – Catch Hospitality Group, PoS malware)