Penn Station, Inc. recently announced [PDF file] that customers' names and credit and debit card data may have been accessed at several of its franchisee-owned Penn Station East Coast Subs restaurants at the beginning of March.
At this point, the company says, less than 20 percent of its more than 235 restaurants appear to have been affected. A list of the affected restaurants can be viewed here [PDF file].
"We want to make our customers aware of this issue and advise them to watch for any unauthorized use of their credit or debit cards," Penn Station president Craig Dunaway said in a statement.
The company says its franchisees changed the method of processing credit and debit card transactions following the breach, and federal law enforcement authorities are currently conducting an investigation.
Still, The Tech Herald's Steve Ragan points that there's some basic information missing from the company's announcement. "For example, the company says that the breach likely started at the beginning of March, and warns that customers who ate at the chain between then and April be on alert," he writes. "How many customers are we talking about, hundreds? Is it thousands, or tens of thousands? Penn Station didn’t say. Also missing from the basic notification letter on the website is Penn Station’s reason for waiting a month to tell anyone, and exactly how the breach was detected -- which is odd given that it’s mentioned the franchisees switched card processing methods due to the breach itself."