"Based on the investigation, Kroll determined that some of the restaurants were subject to initial data breach from December 27, 2016 (the date of first breach varies by location), until the malware was contained on March 6, 2017. In some instances, the malware appears to have identified data from the card's magnetic stripe that included the cardholder name and number and in other instances the card data identified by the malware did not appear to include the cardholder name. It is possible that not every cardholder name was identified."
As of this writing, the malware is believed to have infected the POS equipment at 37 of Shoney's corporate-affiliated locations. A list of those restaurants is available here and in the statement linked to above.
BAHC continues to work with Kroll to determine what happened and how it can better secure its locations. While that investigation moves forward, individuals who patronized any of Shoney's affected restaurants since Christmas 2016 should review their credit reports for unauthorized activity. If they come across a charge they don't recognize, they should report it to their card issuer immediately. Customers should also consider placing a fraud alert and/or a freeze on their credit file.
News of this incident comes approximately two months after Arby's announced a payment card breach at its corporate restaurant locations.