Macaroni and Malware: Hundreds of Noodles & Company Locations Hacked, Exposing Consumer Financial Information

In the wake of Wendy’s announcement of a data breach in its point-of-sale system, Noodles & Company recently announced that it too was a victim of a cyber-attack, which may have resulted in access to thousands of customers’ debit and credit card data. Noodles & Company’s June 28, 2016 press release identifies restaurant locations in 27 states and Washington DC in which data security may have been breached.

In its press release, Noodles & Company states that it began investigating on May 17, 2016, after its credit card processor reported “unusual activity.” It immediately hired a third-party forensic expert to investigate, and on June 2, 2016, it discovered evidence of “suspicious activity on its computer system that indicated a potential compromise.”

Noodles & Company states that it is “moving forward on a number of fronts” in response to the data breach, including working with third-party forensic investigators, operating with the United States Secret Service, and providing guidance to guests who may have been affected. In a subsequent press release, Noodles & Company asserts that it “contained the incident once the malware was identified and credit and debit cards used at the affected locations identified are no longer at risk from the malware involved in [the] incident.” Nonetheless, it will not be a surprise if Noodles & Company suffers the same fate as Wendy’s: defending a federal consumer class-action lawsuit.

We will continue to monitor and report on this story as it develops.