A recent report by independent security journalist Brian Krebs has revealed that the Atlanta-based fast-food restaurant chain Chick-fil-A is investigating a potential credit card breach at several U.S. locations.
According to Krebs, sources at multiple U.S. financial institutions identified a pattern of credit card fraud to accounts used at different Chick-fil-A restaurants nationwide.
The suspicious activity became evident after a major credit card association issued an alert to several other financial institutions regarding a data breach at an “unnamed retailer” lasting between Dec. 2, 2013, and Sept. 30, 2014.
One financial institution in particular, reported Krebs, confirmed it had nearly 9,000 customer credit cards listed in the alert – all with Chick-fil-A as the only common point-of-purchase.
The source added these transactions had occurred at locations across the United States, with the majority impacting restaurants in Georgia, Texas, Pennsylvania, Virginia and Maryland.
Chick-fil-A responded to the incident stating it is currently working with leading IT security firms and law enforcement, as well as its payment industry contacts to further the investigation.
“We want to assure our customers we are working hard to investigate these events and will share additional facts as we are able to do so,” stated the restaurant.
“If the investigation reveals that a breach has occurred, customers will not be liable for any fraudulent charges to their accounts — any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card.”
Chick-fil-A added it plans to provide free identify protection services and credit monitoring, if needed.
Krebs noted that if the incident is confirmed, the data breach is likely to have impacted only a subset of the chain’s 1,850 locations across 41 states.
“In that respect, it would be much like the breaches [reported] earlier this year at other fast food chains – Dairy Queen and Jimmy Johns,” said Krebs.
Dairy Queen confirmed the compromise of customer data from nearly 400 of its U.S. locations back in October, while the breach at Jimmy John’s restaurants exposed customer information at 216 stores nationwide.
As noted by Krebs, both incidents occurred at franchised stores that outsourced management of their point-of-sale systems to certain third-party companies. Meanwhile, numerous breaches in 2014 also came as the result of the sophisticated point-of-sale malware known as “Backoff.”
In August, US-CERT issued an advisory alert to U.S. retailers stating Backoff had affected more than 1,000 businesses in the same attack that breached payment processing systems of Target, UPS Stores and Supervalu.