Late on December 17, 2015, Houston-based Landry’s Inc. announced a massive, network-wide credit card breach affecting its restaurants. Landry’s owns and operates over 500 restaurants, including well-known chains such as Bubba Gump’s, Rainforest Café, Mastro’s Restaurants, McCormick and Schmick’s, Morton Steakhouse and Claim Jumper. According to Kreb’s on Security, the breach may date back to May 2015 and in some cases, may be continuing. It is not clear yet how many restaurant chains are affected.
While Landry’s is investigating the scope of the breach (which the company expects could take weeks or months), it believes that the breach exposed data available on the magnetic stripe of credit cards, which includes consumer names, card numbers, expiration dates and verification codes. According to Kreb’s, banks have detected fraudulent charges. Although Landry’s is implementing an upgraded and more secure payment processing system, it believes that the breach began before the new system’s installation.
From an insurance perspective, what may make this breach different (and worse) is the sheer number of entities under the same corporate umbrella. Unlike the Anthem breach which targeted just Anthem, even though the fall-out reached multiple health plans, the Landry’s breach may involve multiple entities: individual restaurants and chains. If different restaurants and chains qualify as named insureds under a Landry’s policy, then insurers may be looking at a type of aggregation scenario: one insured is actually dozens of insureds, and they all have the same breach. But even if each restaurant has its own policy, they may come after Landry’s as the gateway to the breach.
Under either scenario, insurers will be getting to know the Landy’s breach in 2016.