Skip navigation
Taco Bueno names chief people officer Ron Ruggless

Taco Bueno outlines data breach incident

Malware in POS devices may have accessed payment-card info

Taco Supremo Management LLC, the new owner of Taco Bueno, said malware in some point-of-sale devices may have allowed a payment card data breach between March and November last year, the company said Thursday. 

The Mexican quick-service brand indicated about 150 restaurants may have been affected, apparently including some that closed last fall. The general time frame when data may have been accessed was May 4 to Nov. 22 of last year.

“There is one restaurant where access to card data may have started on March 22, 2018,” the company said in a statement.

Taco Bueno said it received a report on Oct. 29 that suggested unauthorized access to data from payment cards and it launched an investigation with cybersecurity experts. 

“The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale devices at certain Taco Bueno restaurants,” the company said. 

Beginning in June 2017, Taco Bueno had started deploying an end-to-end encryption, or E2EE, payment processing solution at some of restaurants. The locations with E2EE protection were apparently not affected.

“For those restaurants where it had not yet been installed, the malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” the company said. “There is no indication that other customer information was affected.”

The company said the malware was removed during the investigation and it is working the cybersecurity experts to “evaluate ways to enhance its security measures.”

A searchable list of Taco Bueno units that may have been affected is available at the company’s website

Taco Bueno advised that customers should immediately report any unauthorized charges to the payment card issuer.

“Taco Bueno regrets that this incident occurred and apologizes for any inconvenience,” the company said.

For more information, customers can visit www.tacobueno.com/paymentcardincident or call 877-845-7568 Monday through Friday between 8 a.m. and 8 p.m. CST.

Dallas-based Sun Holdings Inc. acquired Taco Bueno in a pre-packaged Chapter 11 bankruptcy in November. Sun Holdings has more than 800 franchise restaurants across eight states, including Burger King, Popeyes’ Louisiana Kitchen, Arby's, Golden Corral and Krispy Kreme locations. 

Founded in 1967 in Abilene, Texas, Taco Bueno has 146 restaurants in Arkansas, Kansas, Louisiana, Missouri, Oklahoma and Texas.

Contact Ron Ruggless at [email protected]

Follow him on Twitter: @RonRuggless 

Correction: February 15, 2019
This story has been edited to correct the end-to-end encryption acronym as E2EE.
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish