Sources at several U.S. financial institutions say they have traced a pattern of credit card fraud back to accounts that all were used at different Chick-fil-A fast food restaurants around the country. Chick-fil-A told KrebsOnSecurity that it has received similar reports and is working with IT security firms and law enforcement in an ongoing investigation.
KrebsOnSecurity first began hearing from banks about possible compromised payment systems at Chick-fil-A establishments in November, but the reports were spotty at best. Then, just before Christmas, one of the major credit card associations issued an alert to several financial institutions about a breach at an unnamed retailer that lasted between Dec. 2, 2013 and Sept. 30, 2014.
One financial institution that received that alert said the bank had nearly 9,000 customer cards listed in that alert, and that the only common point-of-purchase were Chick-fil-A locations.
“It’s crazy because 9,000 customer cards is more than the total number of cards we had impacted in the Target breach,” the banking source said, speaking on condition of anonymity.
The source said his institution saw Chick-fil-A locations across the country impacted, but that the bulk of the fraud seemed concentrated at locations in Georgia, Maryland, Pennsylvania, Texas and Virginia.
Reached for comment about the findings, Chick-fil-A issued the following statement:
“Chick-fil-A recently received reports of potential unusual activity involving payment cards used at a few of our restaurants. We take our obligation to protect customer information seriously, and we are working with leading IT security firms, law enforcement and our payment industry contacts to determine all of the facts.”
“We want to assure our customers we are working hard to investigate these events and will share additional facts as we are able to do so. If the investigation reveals that a breach has occurred, customers will not be liable for any fraudulent charges to their accounts — any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card. If our customers are impacted, we will arrange for free identity protection services, including credit monitoring.”