December 19, 2022

SevenRooms, a restaurant customer relationship management (CRM) platform used by international restaurant chains and hospitality service providers such as MGM Resorts, Bloomin’ Brands, Mandarin Oriental, Wolfgang Puck, and many more, has confirmed a data breach following the sale of stolen data on a hacking forum by a threat actor.

The information was discovered on the hacking forum ‘Breached,’ and the samples include text files containing client data, payment details, reservation information, and more.

According to the seller, there are 86,847 CSV files totaling over 427 GB. The files’ nature suggests that the company may have suffered a database leak as a result of a breach on one of its servers. Its samples include folders named after popular restaurant chains, SevenRooms customers, API keys, promo codes, payment reports, reservation lists, and more.

According to a third-party vendor, SevenRooms confirmed the data breach: “SevenRooms recently learned that a file transfer interface of a third-party vendor was accessed without authorization. This may have affected certain documents transferred to or by SevenRooms, including the exchange of API credentials (now expired), and some guest data, which may include names, email addresses and phone numbers. Our protocol is to not store credit card information in that space. SevenRooms does not collect social security numbers, bank account information, or similarly highly sensitive information from individual guests. We immediately disabled access to the interface, launched an internal investigation, and we currently have no evidence that any of SevenRooms’ proprietary databases were affected. We have retained independent cybersecurity experts to assist with this investigation and will provide additional updates as appropriate.”

The sources for this piece include an article in BleepingComputer.