News

Taco Bueno apologizes, releases info on 2018 malware attack

February 15, 2019

Taco Bueno provided more information about a payment card incident first reported late last year after an Oct. 29, 2018, third-party report that data from payment cards used at the chain may have been breached, according to a news release. 

The company's investigation discovered malware, designed to access payment card data from POS devices at some location, had reached the system but was deterred by the end-to-end encryption installed at some locations, beginning in June 2017. 

However, at locations that had not yet installed the safeguards, the malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) from cards' magnetic stripes as it was being routed through the POS device. The chain said today that it has no indication that other customer data was accessed. 

The specific period that such information was accessed varies by restaurant, but generally span the dates from May 4, 2018, to Nov. 22, 2018, though one location may have had such problems as early as March 22, 2018, the release said. A list of the Taco Bueno restaurants involved and specific time frames can be found at www.tacobueno.com/paymentcardincident.

Taco Bueno removed the malware and is continuing to work with cybersecurity experts to enhance security. In the release, the chain issued this statement: 

"Taco Bueno regrets that this incident occurred and apologizes for any inconvenience. For more information regarding this incident, customers can visit www.tacobueno.com/paymentcardincident or call 877-845-7568 Monday through Friday between the hours of 8 a.m. and 8 p.m. CST.