The Dallas-based restaurant chain Wingstop has reported its currently investigating a possible “data security attack” at four of its franchise locations, with one incident suspected of dating back to 2012.
The company announced over the weekend that the potential breach may have allowed attackers to steal payment card information, such as account number, expiration date or cardholder name, from customers at three California and Texas locations in June and July of 2014, as well as a Texas restaurant for several months in 2012.
“We regret that this incident occurred and apologize for any inconvenience or concern this may cause our customers,” said Wingstop CEO Charlie Morrison in a statement. “We will continue to work with our franchisees to enhance the security of their systems and protect the privacy and security of customer information.”
Wingstop said it first learned of the incident after indications of suspicious activity, and responded by recruiting an independent forensic investigations firm to analyze its point-of-sale systems at all US-based franchise locations.
According to the company, the affected franchises located in Corpus Christi, Texas, and Union City, Calif., were found to have malware-infected POS systems between June 4, 2014, and July 31, 2014. Additionally, the restaurant received an alert of suspicious activity during these dates involving 20 customer credit cards that had been used at a Wingstop in Lubbock, Texas.
In 2012, a franchise unit in Grand Praire, Texas, was also affected with POS malware from May 5 to June 27, as well as later that year from Nov. 11 to Dec, 9.
The company stated it responded quickly to assist by immediately removing the online POS hard drives and installing new systems.
“Wingstop franchisees operate entirely independent POS systems that are neither managed by nor connected to a central location,” said the company. “The investigation of the Internet-connected POS systems has detected no evidence of malware on the systems at any other location.”
Wingstop customers that suspect they may have been affected are urged to monitor their account statements closely, and report any suspicious activity to their payment card issuer as soon as possible. As expected, the company will offer a year of identity theft protection service to impacted customers.
The company owns and franchises more than 700 restaurants across the Unites States, Mexico, Russia, Philippines, Singapore and Indonesia.