Credit Card transactions compromised at Yak and Yeti Restaurant operated by Landry's

Feb 03, 2016 in "Yak and Yeti"

Posted: Wednesday February 3, 2016 9:00am EST by WDWMAGIC Staff

Landry's, the operator of the Yak and Yeti Restaurant at Disney's Animal Kingdom has released an update to their ongoing investigation regarding credit card transaction security.

From the Landry's press release:

"Findings from the investigation show that criminal attackers were able to install a program on payment card processing devices at certain of our restaurants, food and beverage outlets, spas, entertainment destinations, and managed properties. The program was designed to search for data from the magnetic stripe of payment cards that had been swiped (cardholder name, card number, expiration date and internal verification code) as the data was being routed through affected systems.

Enhanced security measures, including end-to-end encryption, have been implemented to prevent a similar issue from occurring in the future, and we continue to support law enforcement’s investigation. We are also working closely with the payment card networks to identify potentially affected cards so that the card issuers can be made aware and initiate heightened monitoring of those accounts. For those customers we can identify as having used their card at an affected location during that location’s at-risk window and for whom we have a mailing address or e-mail address, we will be mailing them a letter or sending them an e-mail."

According to Landry's, transactions at Yak and Yeti were compromised from 5/8/2015 to 12/3/2015. You can see the full list of all Landry's affected restaurants on their website.

Landry's has provided a phone number for any customers with questions - (877) 238-2151 (U.S. and Canada), Monday thru Friday from 9:00 am to 7:00 pm EST.

Discuss on the Forums
View all comments →

Ariel4711Feb 16, 2016

Sorry I'm just now responding to this, but luckily I haven't had any issues. Looks like you were correct and RFC (in WDW) wasn't affected.

donsullivanFeb 04, 2016

I'm an Orlando local so using a MagicBand for charging is not an option for me. However, I've become a huge fan of WDW support of contactless payment services like ApplePay. I use it exclusively at every Disney operated location I can with the exception of table-service which (to my knowledge) are still unable to accept that payment type at the table. Unfortunately that would do me no good on something like this since this is not Disney that was compromised and I've found very few of the 3rd party merchant locations on property accept non-MagicBand contactless payment methods.

rael ramoneFeb 04, 2016

It's also good to know that those who stay on property who go 'bandless' can use their RFID card to charge to your room and get the same benefit. It's like a credit card that expires the day you check out.

rael ramoneFeb 04, 2016

This is good to know. I don't know if it's required to offer credit monitoring, IMHO it's the ethical thing to do if a corporation has a credit breach.

danyoung56Feb 03, 2016

I was wondering about that. If it's truly Rainforest Café, shouldn't the acronym by RC?

GeneralZodFeb 03, 2016

Good thing I used my magic band.

donsullivanFeb 03, 2016

There is no doubt that cost is a variable in the decision. If their POS platform can not be updated to add those encryption features from the core (not uncommon if it's really old), then it needs to be done with external hardware. Having been thru a POS replacement with a retailer in a 'past life' it a massive multi-year undertaking. With 500+ locations, no matter what they do it's going to be expensive and it will take some time to complete. Each mature company like this runs a risk analysis and decides they think the risk is worth the delay in adding that control to their environment. Unfortunately, most of those that do end up being 'forced' to make the updates independent of what they had budgeted when something like this happens.

HazyFeb 03, 2016

It's cost. Without a revenue stream back. It drains bottom lines as the Intrusion Detection appliances, maintenance, employees to maintain, etc. are exorbitant.

donsullivanFeb 03, 2016

Having worked for a company that had to deal with an incident like this for a bunch of colleges some years ago, we found it takes a few days to get all of the mechanics in place for credit monitoring. Few companies 'plan' for this to happen so it takes some time get everything worked out with the credit monitoring companies and then get that communicated to service desk staff.

rael ramoneFeb 03, 2016

Just called the Landry's hotline for this incident... Apologized first. Asked for first and last name. Not asked for any other information in the event that they want to contact me further. Asked if I notified my bank. Asked if I noticed any activity that wasn't mine. Then said I should be vigilant, watch for charges on that card, apologized for the inconvenience again. It could be 'early' yet, but every other time I've followed up on a breach report, I was offered a year of free credit monitoring. Not here.

Andrew CFeb 03, 2016

Sorry, I said EBT but meant EMV...EBT are food stamp cards. :D

Andrew CFeb 03, 2016

Aren't all businesses required to update their systems for EMV?

donsullivanFeb 03, 2016

I added a note to that above anticipating this might come up. They are not technically 'required' to make the update but if they do not, the bank will hold the merchant liable for any loss as a result of the breach vs in the past, the bank ate the loss.

donsullivanFeb 03, 2016

It's really unfortunate the number of companies that still have not stepped it up to do this correctly. Retailers seems to be at the greatest risk with very old POS platforms where they can't just apply simple updates to add encryption but need to complete a major system upgrade that they are reluctant to invest in. As for the lawsuit reference made above, it's really difficult for any individual to sue a merchant that has a breach like this. To file such a suit you have to show that you were actually 'harmed' not just put at risk of being harmed. That became a big topic a couple of years ago around the Target and Home Depot breaches. The big change that happened last fall to try and fix this is the credit card industry (the banks) mandated the chip addition to cards. If a merchant has not converted to that and is still using swipe of mag stripe, liability for any fraudulent transactions is no longer covered by the banks but by the merchant that did not update their equipment.