Wingstop Announces Data Security Incident Affecting Four Franchise Locations
DALLAS — Wingstop today announced that four of its independently owned and operated franchise locations may have been impacted by a data security attack on point-of-sale (POS) systems that could have enabled attackers to capture customer payment card information such as account number, expiration date or cardholder name.
After receiving indications of suspicious activity, the company immediately retained independent forensic investigative firm, Stroz Friedberg, LLC, to review the Internet-connected POS systems at all of its US franchise locations. The forensic review and the results of the overall investigation determined that the POS terminals at four locations could have been subject to a data security incident. The details of the findings about the suspected data security incident are as follows:
- One franchise in Corpus Christi, TX and one in Union City, CA each had malware on their POS systems between June 4, 2014 and July 31, 2014.
- The company received one report of suspicious activity that occurred around the same time frame, involving twenty customer payment cards that had been used at one franchise in Lubbock, TX.
- One franchise in Grand Prairie, TX had malware on its POS system between May 5, 2012 and June 27, 2012 and between November 11, 2012 and December 9, 2012.
In each instance, Wingstop assisted franchisees by immediately removing the Internet-connected POS hard drives and replacing them with new systems. Wingstop franchisees operate entirely independent POS systems that are neither managed by nor connected to a central location. The investigation of the Internet-connected POS systems has detected no evidence of malware on the systems at any other location.
“We regret that this incident occurred and apologize for any inconvenience or concern this may cause our customers,” said Charlie Morrison, CEO of Wingstop. “We will continue to work with our franchisees to enhance the security of their systems and protect the privacy and security of customer information.”
As a precaution, Wingstop urges customers of the above four locations to monitor their payment card account activity closely and report any suspicious activity to their payment card issuer immediately (addresses for the four locations can be found on the company’s website). Generally, customers are not responsible for fraudulent transactions if they notify their issuer in a timely fashion.
The incident has been reported to the relevant payment card authorities in an effort to protect customers against potential credit card fraud and Wingstop has been cooperating with law enforcement officials in the investigation of this matter. The Company is also taking steps to provide franchisees with solutions to strengthen controls and security of their POS systems.
Wingstop is offering 12 months of complimentary identity theft protection services through AllClear ID to any customer whose payment card information may have been affected. For more information about the services and for answers to any questions customers may have about the potential incident, customers may call toll-free (877) 615-3744, beginning January 16, 2015, Monday through Saturday, from 8:00 a.m. CT to 8:00 p.m. CT. The company has provided additional information, including the specific addresses of each impacted location, on its website and any future updates regarding this incident will be posted to the website at www.wingstop.com.
Founded in 1994 and headquartered in Dallas, Texas, Wingstop operates and franchises more than 700 restaurants across the United States as well as Mexico, Russia, Indonesia, Philippines and Singapore.