Sources at several financial institutions recently told investigative reporter Brian Krebs?they had uncovered a pattern of fraud on credit cards that had all been used at Chick-fil-A fast food locations across the United States.
Krebs says he first began hearing of a possible breach at Chick-fil-A in November 2014, but that there wasn’t much information to back it up until mid-December, when a major credit card association issued an alert warning of a breach at an unidentified retailer that had lasted from December 2, 2013 to September 30, 2014.
A source at one bank told Krebs?nearly 9,000 of their customers’ payment cards were listed in the alert, with Chick-fil-A as the only common point of purchase.
“It’s crazy because 9,000 customer cards is more than the total number of cards we had impacted in the Target breach,” the source said.
While Chick-fil-A locations throughout the U.S. appear to have been affected by the breach, the source told Krebs the bulk of the fraud was concentrated in Georgia, Maryland, Pennsylvania, Texas and Virginia.
As a result, Krebs says he suspects that the breach likely affected only a subset of Chick-fil-A’s 1,850 locations — which would make it similar to other fast food breaches in 2014 at Dairy Queen and Jimmy John’s, which impacted franchises that outsourced their point-of-sale system management to specific third parties (Panasonic Retail Information Systems and Signature Systems, respectively).
In a statement released on Friday, January 2, Chick-fil-A said it first began investigating the possible breach on December 19, 2014, and stated, “We take our obligation to protect customer information seriously, and we are working with leading IT security firms, law enforcement and our payment industry contacts to determine all of the facts.”
“If the investigation reveals that a breach has occurred, customers will not be liable for any fraudulent charges to their accounts — any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card,” the company added. “If our customers are impacted, we will arrange for free identity protection services, including credit monitoring.”
Customers with questions are advised to call (855) 398-6439.