News

Four Wingstop franchise locations may be latest POS attack targets

Four Wingstop franchise locations may have suffered data breaches due to a point of sale (POS) attack.

January 19, 2015

Four Wingstop franchise locations in Texas and California may be the latest targets of a point-of-sale (POS) data security attack.

The breach may have enabled attackers to capture customer payment card account numbers, expiration dates and names.

According to a release from Wingstop, the company has retained independent forensic investigative firm, Stroz Friedberg, LLC, to review the Internet-connected POS systems at all of its US franchise locations. The forensic review and the results of the overall investigation determined that the POS terminals at four locations could have been subject to a data security incident. The details of the findings about the suspected data security incident are as follows:

One franchise in Corpus Christi, Texas and one in Union City, California each had malware on their POS systems between June 4 and July 31.

The company received one report of suspicious activity that occurred around the same time frame, involving twenty customer payment cards that had been used at one franchise in Lubbock, Texas.

One franchise in Grand Prairie, Texas had malware on its POS system between May 5, 2012 and June 27, 2012 and between Nov. 11, 2012 and Dec. 9, 2012.

In each instance, Wingstop assisted franchisees by immediately removing the Internet-connected POS hard drives and replacing them with new systems. Wingstop franchisees operate entirely independent POS systems that are neither managed by nor connected to a central location. The investigation of the Internet-connected POS systems has detected no evidence of malware on the systems at any other location.

"We regret that this incident occurred and apologize for any inconvenience or concern this may cause our customers," said Wingstop CEO Charlie Morrison in the release. "We will continue to work with our franchisees to enhance the security of their systems and protect the privacy and security of customer information."

As a precaution, Wingstop is urging customers of the above four locations to monitor their payment card account activity closely and report any suspicious activity to their payment card issuer immediately (addresses for the four locations can be found on the company's website). Generally, customers are not responsible for fraudulent transactions if they notify their issuer in a timely fashion.

The incident has been reported to the relevant payment card authorities in an effort to protect customers against potential credit card fraud and Wingstop has been cooperating with law enforcement officials in the investigation of this matter. The company is also taking steps to provide franchisees with solutions to strengthen controls and security of their POS systems.

Wingstop is offering 12 months of complimentary identity theft protection services through AllClear ID to any customer whose payment card information may have been affected. For more information about the services and for answers to any questions customers may have about the potential incident, customers may call toll-free (877) 615-3744, beginning Jan. 16, Monday through Saturday, from 8:00 a.m. CT to 8:00 p.m. CT. The company has provided additional information, including the specific addresses of each impacted location, on its website and any future updates regarding this incident will be posted to the website at www.wingstop.com.