UPDATE (Oct. 3, 5:27 p.m. PT) — Burgerville says it has discovered a "sophisticated" cybersecurity breach that may have affected customers who paid with a credit card at any restaurant location in the last year.
Shortly after the company announced the breach Wednesday, a customer sought a class-action lawsuit against Burgerville.
The Vancouver, Washington-based burger chain is urging all customers who used a debit or charge card between September 2017 to September 2018 to review their statements for suspicious activity. Compromised customer information could include names, card numbers, expiration dates and the CVV numbers on the back of most cards.
It's not clear exactly how many customers could have had their data compromised, according to a Burgerville spokesperson.
"The tactics of this particular group of hackers make it very difficult to know exactly how many people were directly affected and exactly which card numbers were stolen. They are adept at concealing their digital footprints," spokesperson Chris Crabb wrote in an email to OPB.
The group behind the attack is called Fin7, a cyber-crime ring out of Eastern Europe that has attacked more than 100 U.S. companies. The U.S. Justice Department arrested three members of Fin7 in August. The group is believed to have stolen more than 15 million customer card records in 47 states and has been linked to other major hacks at Chipotle, Arby's and other restaurants.
In a news release, Burgerville said it first learned of the breach from the FBI on Aug. 22. The company agreed to keep the hack from the public so the FBI could fully investigate, Crabb said.
"Burgerville agreed to maintain the confidentiality of the breach as part of an active law enforcement investigation," she explained. "Though this investigation, Burgerville was able to provide valuable evidence to the FBI."
That investigation revealed what was originally believed to be a brief intrusion by hackers was actually still active. On Sept. 19, Burgerville began removing the malware from its payment system. The company said it finished removing malware from its system Sept. 30.
Crabb said the company did not let the public know because hackers could have created a backdoor into Burgerville's system if they had known the problem was being addressed.
Within hours of the hack being announced, Oregon resident Cassandra Nelson filed a class-action complaint in Multnomah County court.
The complaint alleges that Nelson had her financial card information compromised by Burgerville after purchasing food at various restaurants around the Portland metro area. It also alleges that the restaurant "collected and stored credit and debit card information" from Nelson at its sale systems.
"In an attempt to increase profits, Burgerville negligently failed to maintain adequate technological safeguards to protect plaintiff’s information from unauthorized access by hackers," Nelson's complaint states.
The complaint also alleges that Burgerville violated Oregon law by not informing customers as soon as it learned about the hack. Nelson is seeking monetary damages and a full accounting of how hackers gained access to customer information.
“We realize that this intrusion was not only on Burgerville’s system, but also on your life. This isn’t what you expected to happen when you came to visit one of our locations,” wrote interim Burgerville CEO Jill Taylor in a statement about the attack on the restaurant’s website.
The company is advising people who may have been impacted to obtain a copy of their credit report and consider freezing their credit out of an "abundance of caution." A customer support line has been set up at 1-855-336-6688.