Fast-food chain PDQ is notifying customers about a potential data breach that may have compromised their personal and credit card information. The Tampa-based chicken restaurant chain said the point-of-sale data breach likely occurred between May 19, 2017 and April 20, 2018. The company learned on June 8 that credit card data and/or some names were likely compromised in the incident.
“We believe the attacker gained entry through an outside technology vendor’s remote connection tool,” PDQ said in a statement.
The breach affected nearly all 70 PDQ locations during the breach time period, except locations at the Tampa International Airport, Amalie Arena and PNC Arena.
Compromised data includes names, credit card numbers, expiration dates and cardholder verification value (CVV) numbers.
“It should be noted that the cardholder verification value that may have been accessed or acquired is not the same as the security code printed on the back of certain payment cards (e.g., Discover, MasterCard, and Visa) or printed on the front of other payment cards (e.g., American Express),” the company stated.
It is not clear how many customers and credit cards were affected in the breach.
"If you used a credit card for your purchase at a PDQ restaurant during the breach period, then your credit card number, expiration date, cardholder verification value and or name may have been accessed or acquired by a hacker," the company said.
The company said it immediately initiated an investigation after it was made aware of the incident and has since engaged a cybersecurity firm to conduct a comprehensive forensic review of the attack. PDQ has also notified law enforcement and is working closely with authorities and state regulators.
"Caring for our customers is a top priority," PDQ said. The company also hired a cybersecurity firm to conduct an extensive investigation into the incident. "We have taken steps to further strengthen the security of our systems to help prevent this type of incident from happening again."
Customers have been advised to closely monitor their account statements for any suspicious activity or unidentified transactions, monitor free credit reports and quickly report any unauthorized charges to their card issuer.
The incident comes as the latest in a string of security breaches and data leaks involving retail and restaurant chains in the US in recent months.
In April, it was revealed that millions of Panera Bread customers who ordered food online for eight months may have had their personal data exposed online. A month later, Tex-Mex restaurant chain Chili’s announced that malware of some of its payment systems may have harvested customers’ debit and credit card information.
Hawaii-based Zippy’s Restaurants also reported in May that point-of-sale systems at 25 of its locations were compromised and exposed customer data.