Noodles & Company [NASDAQ: NDLS], a fast-casual restaurant chain with more than 500 stores in 35 U.S. states, says it has hired outside investigators to probe reports of a credit card breach at some locations.
Over the past weekend, KrebsOnSecurity began hearing from sources at multiple financial institutions who said they’d detected a pattern of fraudulent charges on customer cards that were used at various Noodles & Company locations between January 2016 and the present.
Asked to comment on the reports, Broomfield, Colo.-based Noodles & Company issued the following statement:
“We are currently investigating some unusual activity reported to us Tuesday, May 16, 2016 by our credit card processor. Once we received this report, we alerted law enforcement officials and we are working with third party forensic experts. Our investigation is ongoing and we will continue to share information.”
The investigation comes amid a fairly constant drip of card breaches at main street retailers, restaurant chains and hospitality firms. Wendy’s reported last week that a credit card breach that began in the autumn of 2015 impacted 300 of its 5,500 locations.
Cyber thieves responsible for these attacks use security weaknesses or social engineering to remotely install malicious software on retail point-of-sale systems. This allows the crooks to read account data off a credit or debit card’s magnetic stripe in real time as customers are swiping them at the register.
U.S. banks have been transitioning to providing customers more secure chip-based credit and debit cards, and a greater number of retailers are installing checkout systems that can read customer card data off the chip. The chip encrypts the card data and makes it much more difficult and expensive for thieves to counterfeit cards.
However, most of these chip cards will still hold customer data in plain text on the card’s magnetic stripe, and U.S. merchants that continue to allow customers to swipe the stripe or who do not have chip card readers in place face shouldering all of the liability for any transactions later determined to be fraudulent.
While a great many U.S. retail establishments have already deployed chip-card readers at their checkout lines, relatively few have enabled those readers, and are still asking customers to swipe the stripe. For its part, Noodles & Company says it’s in the process of testing and implementing chip-based readers.
“The ongoing program we have in place to aggressively test and implement chip-based systems across our network is moving forward,” the company said in a statement. “We are actively working with our key business partners to deploy this system as soon as they are ready.”