SevenRooms Restaurant CRM Platform confirms data breach

SevenRooms, a restaurant customer management platform has admitted to having suffered data breaches after an actor started selling stolen data via a hacking forum.

SevenRooms provides a platform for restaurant customer relations management (CRM). It is used by many international restaurants chains as well as hospitality service providers such MGM Resorts and Bloomin’ Brands.

A threat actor uploaded data samples to the Breached hacking forums on December 15. He claimed that he had stolen a 427GB backup database containing thousands of files with information about SevenRooms customers.

Samples provided by seller include folders named for big restaurants, SevenRooms clients, API keys and promo codes as well as payment reports, reservations lists, payment reports and other information.

BleepingComptuer reached out to SevenRooms regarding the sale of data online. They confirmed that the sales were their own data due to unauthorized access by one vendor.

BleepingComputer was informed by a spokesperson for SevebRooms that SevenRooms had recently discovered that the file transfer interface belonging to a third party vendor could be accessed unauthorized.

This may have adversely affected some documents that SevenRooms has transferred, such as the API credentials exchange (now expired) and guest data which could include names, emails addresses, and telephone numbers. – SevenRooms.

According to the company, guests’ bank accounts data and credit card numbers were not compromised, as was any information that was highly sensitive such as social security numbers or other information. It was therefore not exposed by the attackers.

SevenRooms also claims there was no breach of its security systems. They are protected against any unauthorized access.

The spokesperson stated that they immediately blocked access to the interface and launched an internal investigation. At the moment, there is no evidence that SevenRooms proprietary databases were compromised.

We have hired independent cybersecurity experts for this investigation. Additional updates will be provided as necessary.

SevenRooms stated that it has hired an independent cybersecurity firm to assist with the investigation and will continue updating as additional information becomes available.

Although it’s not clear what customers and restaurants were affected, there will be more data breach notifications from restaurants whose data was compromised.