If you’ve eaten at Noodles & Company this year, check your credit card statement for charges you didn’t make.
The Broomfield-based chain of fast-casual restaurants has notified financial agencies, which in turn are sharing the news with customers.
“We have received information from Visa that during a recent security review, your Visa card number was identified as possibly being compromised at Noodles & Company locations and is at risk for unauthorized charges. Don’t worry — you won’t have to worry about paying for unauthorized charges because your card is backed by Visa’s Zero Liability protection (some limitations apply),” reads an e-mail sent to a customer Monday by Denver Community Credit Union. The bank is sending a new credit card.
Noodles officials responded Monday with this statement: “We are currently investigating some unusual activity reported to us on May 17, 2016, by our credit card processor. Once we received this report, we alerted law enforcement officials and we are working with third-party forensic experts. Our investigation is ongoing and we will continue to share information.”
, a security-news site run by journalist Brian Krebs, . He had heard from multiple financial institutions about “a pattern of fraudulent charges on customer cards that were used at various Noodles & Company locations between January 2016 and the present.”
Krebs, massive data breach in 2013, said such attacks at restaurant chains have a similar security issue: an insecure point-of-sale system. While Krebs said he did not have extra insight into the Noodles breach, he said such systems —including at Wendy’s, which was breached — often are infected with malware that snatches up the customer’s credit card number and data as the card slides through the credit terminal.
“I’m pretty sure their customers’ card numbers are already being sold (online),” said Krebs, who that Noodles was in the process of testing and rolling out chip-card readers, which are built to cut down on counterfeit credit cards.
Chip cards produce a unique code during the transaction to prevent copying. By comparison, magnetic-strip cards store static data that can be swiped, copied and used to make counterfeit cards.
In October, Visa, MasterCard and others began requiring merchants to accept chip cards. Merchants who didn’t use special chip-card readers after Oct. 1 are for counterfeit activity. However, by February, of its merchants had shifted to chip-card readers.
Either way, consumers aren’t responsible for fraudulent activity on their credit card — whether they paid using a magnetic-stripe card or chip card. The cost is paid by the merchant, bank or the credit agency.
