Noodles and Company confirms payment card breach

Brian Krebs first broke the story in May that casual food chain Noodles and Company had likely had a payment card breach. Now the company has confirmed it:


Press Release

Noodles & Company Provides Notice of Data Security Incident

Broomfield, Colorado, June 28, 2016 – Noodles & Company (NASDAQ: NDLS) today announced that a recent data security incident may have compromised the security of payment information of some guests who used debit or credit cards at certain Noodles & Company locations between January 31, 2016 and June 2, 2016. Credit and debit cards used at the affected locations are no longer at risk from the malware involved in this incident.

What Happened? On May 17, 2016, Noodles & Company began investigating unusual activity its credit card processor reported to the Company. Noodles & Company immediately began working with third-party forensic experts to investigate these reports and to identify any signs of compromise on its computer systems. On June 2, 2016, Noodles & Company discovered suspicious activity on its computer systems that indicated a potential compromise of guests’ debit and credit card data for some debit and credit cards used at certain Noodles & Company locations.

Since that time, Noodles & Company has been working with third-party forensic investigators to determine how the security compromise occurred and what information was affected. The Company is also working to implement additional procedures to further secure guests’ debit and credit card information, including removing the malware at issue to contain this incident and to prevent any further unauthorized access to guests’ debit or credit card information.

Credit and debit cards used at the affected locations are no longer at risk from the malware involved in this incident. Guests can safely use their credit and debit cards at Noodles & Company locations. Noodles & Company is working with the United States Secret Service to investigate this incident. This notice has not been delayed by law enforcement.

What Information Was Involved? Through the ongoing third-party forensic investigations, Noodles & Company confirmed that malware may have stolen credit or debit card data from some credit and debit cards used at certain Noodles & Company locations between January 31, 2016 and June 2, 2016. The information at risk as a result of this event includes the cardholder’s name, card number, expiration date, and CVV. A list of impacted Noodles & Company locations is available at www.noodles.com/security. This incident did not involve online debit or credit card transactions at www.noodles.com. This incident did not involve guests’ Social Security numbers as this information is never collected by Noodles & Company.

What We Are Doing. “Noodles & Company takes the security of our guests’ information extremely seriously, and we apologize for the inconvenience this incident has caused our guests,” Kevin Reddy, Chairman and Chief Executive Officer of Noodles & Company, stated. Reddy expanded, “We continue to work with third-party forensic investigators and law enforcement officials to ensure the security of our systems on behalf of our guests.”

For More Information. Noodles & Company has established a dedicated assistance line for individuals seeking additional information regarding this incident. Guests can call 888-849-1067, 9 a.m. to 9 p.m. EDT, Monday through Friday (excluding U.S. holidays). Guests can also find information on this incident and what they can do to better protect against fraud and identity theft at www.noodles.com/security.

What You Can Do. Noodles & Company encourages all guests to remain vigilant against identity theft by reviewing their financial account statements regularly and monitoring their credit reports for suspicious activity. Guests should immediately report any unauthorized charges to their card issuer. The phone number to call is usually on the back of the credit or debit card. Under U.S. law, guests over the age of 18 are entitled to one free credit report annually from each of the three major credit bureaus. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Guests may also contact the three major credit bureaus directly to request a free copy of their credit report.

Noodles & Company encourages guests who believe they may be affected by this incident to take additional action to further protect against possible identity theft or other financial loss. At no charge, guests can have these credit bureaus place a “fraud alert” on their file, alerting creditors to take additional steps to verify their identity prior to granting credit in their name. Note, however, that because it tells creditors to follow certain procedures to protect the guest, a fraud alert may also delay guests’ ability to obtain credit while the agency verifies their identity. As soon as one credit bureau confirms a guest’s fraud alert, the others are notified to place fraud alerts on the guest’s file. Should guests wish to place a fraud alert or have any questions regarding their credit reports, they may contact any one of the agencies listed below.

For more information and a list of affected locations, see their FAQ on the incident.

About the author: Dissent