Photo: AP

On Sunday, Brinker International, the restaurant company, disclosed a security incident involving the theft of payment card information at one of its restaurants, Chili’s. But so far the scope of breach remains a mystery.

According to Brinker, customers were compromised at certain Chili’s restaurants between March and April, after malware infected one or more of its systems, collecting payment card information, including credit or debit card numbers and cardholder names. Beyond that, the company has released very few details but says it’s working with forensic experts to ascertain the scope of the breach.

Advertisement

Reached by Gizmodo on Tuesday, Brinker declined to identify which security firm it was working with and refused to provide any additional details about the type of malware involved. It would not say whether it has an approximation of how many customers or restaurants were impacted. Moreover, it would not say whether the payment card details were compromised during the transactions, or if a larger database containing en mass payment card details was compromised instead.

Given the timeline provided by Brinker, it appears to be responding appropriately, not only by notifying the public in the immediate aftermath, but in working to assess how much damage will likely result from the breach. And the company says that it will continue to divulge information. Whether or not Chili’s customers will be given the full picture, however, remains to be seen.

“Law enforcement has been notified of this incident and we will continue to fully cooperate,” the company said. “We are working to provide fraud resolution and credit monitoring services for those Guests who may have been impacted.”

Advertisement

Data breaches occur so frequently now that customers can’t simply pack up and find other avenues for their purchases every time. The ways in which a company responds, and how quickly, is becoming more and more consequential with every breach. Equifax, which waited more than 40 days to disclose its mega-breach last year, clearly failed the test. Whole Foods was overly secretive when it was breached last year.

Brinker, however, appears to be on the right track, as long as its initial notice is followed up with a more substantive description of how the breach occurred. It would also be nice at least to know specifically what type of malware was involved, if only to more broadly generate awareness of this threat.