Fast food restaurant chain Chick-fil-A could well be the first retail breach to be publicly confirmed in 2015. Chick-fil-A released a public statement on Jan. 2, confirming that it is investigating a possible data breach at its restaurants.
While Chick-fil-A’s statement was issued on Jan. 2, the company admitted that it received a report about a potential breach on Dec. 19. After the report was received, Chick-fil-A indicated that it launched an investigation to determine what had occurred.
“The initial report was of potential suspicious activity involving payment cards at a few restaurants,” Chick-fil-A stated. “Our investigation is ongoing and we will update as we are able to do so.”
Chick-fil-A reported 2013 sales of more than $5 billion and has over 1,850 locations, including both stand-alone restaurants and mall locations. Though Chick-fil-A is not currently providing any details on how many of its locations were affected and when the breach occurred, there is some speculation that the breach is extensive.
According to a report in KrebsonSecurity, the breach lasted from Dec.2, 2013, to Sept. 30, 2014, and may have affected as many as 9,000 credit cards.
While Chick-fil-A is not yet providing details on the actual breach, the company is emphasizing that if a breach is confirmed, customers will be not be responsible for fraudulent charges.
“Any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card,” Chick-fil-A stated. “We will arrange for free identity-protection services, including credit monitoring, to any impacted customer.”
Chick-fil-A now joins a number of well-known retailers and restaurant chains on the list of companies that experienced data breaches in 2014. On June 12, Chinese food restaurant chain P.F. Chang’s confirmed that it had been the victim of a data breach. As a result of the breach, P.F.Chang’s temporarily suspended its use of electronic point-of-sale (POS) credit card terminals and instead reverted to using manual credit card imprints.
Restaurant chain Jimmy John’s disclosed a breach on Sept. 24 that affected 216 of its restaurant locations. Dairy Queen confirmed a data breach on Oct. 9 that impacted 395 of its stores. In both the Dairy Queen and Jimmy John’s breaches, third-party payment processing vendors were blamed.
In the Dairy Queen incident, the notorious Backoff malware family was identified as being used by the attackers. The U.S. Secret Service first issued a public alert about Backoff in August, warning that the malware had affected more than 1,000 retailers.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.