Restaurant customer management platform SevenRooms has confirmed it suffered a data breach after a malicious actor began selling stolen data on a hacking forum.

SevenRooms is a customer relationship management (CRM) platform used by international restaurant chains and hotel service providers, such as MGM Resorts, Bloomin’ Brands, Mandarin Oriental, Wolfgang Puck and many others.

On December 15, a malicious actor posted sample data to the Breached hacking forum, claiming to have stolen a 427GB backup database containing thousands of files containing SevenRooms customer information.

The samples provided by the seller include records bearing the names of major restaurant chains, SevenRooms customers, API keys, promo codes, payment reports, reservation listings, and more.

After BleepingComptuer contacted SevenRooms about data being sold online, they confirmed that their data was caused by unauthorized access to the systems of one of its vendors.

“SevenRooms recently learned that a third-party file transfer interface was accessed without permission,” a SevebRooms spokesperson told BleepingComputer.

“This may have affected certain documents transferred to or by SevenRooms, including the exchange of API credentials (now expired) and certain guest data, which may include names, email addresses and phone numbers. phone” – SevenRooms.

The company clarified that customers’ credit card information, bank account data, social security numbers or other similar highly sensitive information were not stored on compromised servers, so they were not not exposed during the attack.

Additionally, SevenRooms claims that there has been no direct breach of its systems, which remain protected from unauthorized external access.

“We immediately disabled access to the interface, launched an internal investigation, and currently have no evidence that any of SevenRooms’ proprietary databases were affected,” the spokesperson said.

“We have engaged independent cybersecurity experts to assist us with this investigation and will provide additional updates as needed.”

SevenRooms says it has hired an independent cybersecurity firm to help investigate the incident and will provide further updates as more information becomes available.

While it’s unclear which restaurants and customers were impacted by this breach, we’ll likely see other data breach notifications issued by restaurants whose customer data was exposed.