Texas-based Brinker International — which operates over 1,600 Chili’s outlets worldwide — said that some of the chain’s restaurants have been involved in the incident, which is believed to have taken place between March and April this year.
In a statement, the company said that the data breach was first discovered on 11 May and “may have resulted in unauthorized access or acquisition of [customer] payment card data.”
It is not known how many customers have been involved.
According to Chili’s, malware was used to scrape credit and debit card numbers alongside cardholder names from point-of-sale (PoS) systems used for in-restaurant purchases.
No other information is believed to have been involved in the theft.
“We immediately activated our response plan upon learning of this incident,” Chili’s said.
The company added that it has “no reason to believe” there is any risk for customers to use their payment cards in-restaurant now the incident has been contained.
As it has only been a few days since the data breach was uncovered, Chili’s is not yet sure just how long consumer data has been scraped and stolen. However, the company is working with an external cyberforensics firm to ascertain the extent of the breach and has promised to update customers when more is known.
US law enforcement has been notified.
“We sincerely apologize to those who may have been affected and assure you we are working diligently to resolve this incident,” Chili’s said.