Chick-fil-A Inc. is investigating a possible data breach last year at some of its restaurants, the company reported Dec. 31.
The Atlanta-based quick-service chicken chain, which has more than 1,800 units, said it was first alerted on Dec. 19 to the “suspicious” payment card activity at “a few” of its restaurants. The company said it began investigating immediately, working with data security firms, federal law enforcement and payment-industry contacts.
“The initial report was of potential suspicious activity involving payment cards at a few restaurants,” the company said on a special website page it created devoted to the investigation.
“At this point, we are working diligently to understand all of the facts,” the company said. “It would be premature for us to comment further given the pending investigation, but we will share additional facts as we are able to do so.”
A Chick-fil-A spokeswoman said Friday the company had no more recent reports on the investigation.
A number of retailers have suffered data breaches over the past year, including restaurants such as Dairy Queen, Jimmy John’s and P.F. Chang’s China Bistro.
Brian Krebs, founder of the KrebsOnSecurity.com website, reported he “first began hearing from banks about possible compromised payment systems at Chick-fil-A establishments in November, but the reports were spotty at best.”
Krebs said a major credit card association issued an alert to several financial institutions just before Christmas about a breach at an unnamed retailer that lasted between Dec. 2, 2013, and Sept. 30, 2014.
One banking source told Krebs, “the bulk of the fraud seemed concentrated at locations in Georgia, Maryland, Pennsylvania, Texas and Virginia.”
Krebs said he suspected the Chick-fil-A restaurants impacted were franchised locations that outsourced point-of-sale system management to third-party companies.
In its New Year’s Eve statement, Chick-fil-A said: “If the investigation reveals that a breach has occurred, customers will not be liable for any fraudulent charges to their accounts. Any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card.”
The company also said it would arrange free identity protection services, including credit monitoring, for any impacted customers.
Chick-fil-A is the nation’s 9th largest company in U.S. foodservice sales, according to Nation’s Restaurant News’ annual Top 100 census. In last year’s survey, Chick-fil-A maintained its No. 9 spot with U.S. systemwide sales of nearly $5 billion for the year ended December 2013.
Contact Ron Ruggless at [email protected].
Follow him on Twitter: @RonRuggless