Wingstop Restaurants Inc. is investigating a possible data breach in a “security attack on point-of-sale systems” at four of its franchised locations, the company said over the weekend.
The Dallas-based chicken wing chain said the suspected breach, which could have enabled attackers to capture customer payment card information, affected three restaurants in California and Texas in June 2014 and July 2014, and one Texas restaurant in two periods of 2012.
“We regret that this incident occurred and apologize for any inconvenience or concern this may cause our customers,” said Charlie Morrison, Wingstop CEO, in a statement. “We will continue to work with our franchisees to enhance the security of their systems and protect the privacy and security of customer information.”
After indications of suspicious activity, Wingstop retained an independent forensic investigative firm to review the Internet-connected POS systems at all of its U.S. franchise locations, the company said.
The more recent incidents involved one franchise restaurant in Corpus Christi, Texas, and one in Union City, Calif., which each had malware on their POS systems between June 4, 2014, and July 31, 2014, the company said. Wingstop said it also received one report of suspicious activity that occurred around the same time frame, involving 20 customer payment cards that had been used at one franchise in Lubbock, Texas.
The suspected 2012 case involved a franchise unit in Grand Prairie, Texas, that had malware on its POS system in two periods, May 5 to June 27 and Nov. 11 to Dec. 9.
In each instance, Wingstop assisted franchisees by immediately removing the Internet-connected POS hard drives and replacing them with new systems, the company said.
“Wingstop franchisees operate entirely independent POS systems that are neither managed by nor connected to a central location,” Wingstop said in its statement. “The investigation of the Internet-connected POS systems has detected no evidence of malware on the systems at any other location.”
As a precaution, Wingstop urged customers of the four locations to monitor their payment card account activity closely and report any suspicious activity to their payment card issuer immediately.
Wingstop said it would offer a year of complimentary identity theft protection services to any customer whose payment card information may have been affected, and would post updates on its website.
The retail industry has been hit by a number of data breaches over the past year, including the restaurants Chick-fil-A, Dairy Queen, Jimmy John’s and P.F. Chang’s China Bistro.
Wingstop owns and franchises more than 700 restaurants in the United States, Mexico, Russia, Indonesia, Philippines and Singapore.
Contact Ron Ruggless at [email protected].
Follow him on Twitter: @RonRuggless