Burgerville has disclosed that is was the target of year-long data breach. Customers paying with credit and debit cards during September 2017-2018 may have had their information compromised.
Vancouver, Wash.-based Burgerville operates 47 locations in the Pacific Northwest. It is unsure how many credit and debit card numbers were stolen. According to a statement on the company’s website, Burgerville first learned of the breach from the FBI on August 22.
On September 19, as part of its forensics investigation, Burgerville said it discovered that the breach, which was initially thought to be a brief intrusion, was still active. The group of hackers had placed malware on Burgerville's network to collect data on an ongoing basis. In cooperation with the FBI, Burgerville immediately began taking steps to contain the breach and disable the malware with the help of a third-party team of cybersecurity experts.
Burgerville said its top priority was to contain the breach and close off the cybercriminals access, which was completed Sept. 30. The company notified customers of the breach Oct. 3.
The company has been under fire for not notifying customers of the breach sooner. (A Portland, Ore.-based attorney has already filled a class-action lawsuit.)
"The operation had to be kept confidential until it was completed in order to prevent the hackers from creating additional covert pathways into the company's network," Burgerville said in a written statement. "This was a sophisticated attack in which the hackers effectively concealed all digital traces of where they have been."
Burgerville has a FAQ page on its site detailing what’s it’s learned from the FBI. The cybercriminals are believed to be Fin7, an international cybercrime group based in Eastern Europe. The U.S. Department of Justice said in August that the group attacked more than 100 American companies in 47 states including other restaurants such as Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli.