Thank you for reaching out to learn more about the security breach at Burgerville.
We realize that this intrusion was not only on Burgerville’s system, but also on your life. This isn’t what you expected to happen when you came to visit one of our locations.
Beyond a breach of information, this type of intrusion impacts our way of life together. Feeling safe and having trust, these are core tenets of building a resilient community. From our mission: Serve With Love, we stand committed to being a good partner and helping to build confidence with the community that has given us so much.
Please take a moment to read through the Frequently Asked Questions below. After reading this information, if you still have additional questions, do not hesitate to call 1-855-336-6688 (toll-free, US only), Monday through Saturday, 6:00am-6:00pm (PST).
Yours with love,
Jill Taylor, Interim CEO, Burgerville
On August 22, 2018, the Federal Bureau of Investigation (FBI) notified Burgerville of a cybersecurity breach impacting a number of the company’s systems. The breach was perpetrated by Fin7 and was a sophisticated attack targeting companies with locations in the Pacific Northwest. Burgerville agreed to cooperate fully with the FBI investigation, and immediately began a forensic investigation of its own to determine the full extent of the breach.
On September 19, 2018, as part of its forensics investigation, Burgerville discovered that the breach, which was initially thought to be a brief intrusion, was still active. The group of hackers had placed malware on Burgerville’s network and were continuing to collect payment data. Burgerville immediately began taking steps to contain the breach and disable the malware with the help of a third-party team of cybersecurity experts and in cooperation with the FBI.
Over the course of the investigation, it was determined that some of Burgerville’s customers’ credit and debit card information, including names, card numbers, expiration dates, and the CVV numbers found on the back of most cards may have been compromised.
From the moment Burgerville was contacted by the FBI, the company has been fully engaged in a forensic investigation. As soon as Burgerville learned the malware was still in effect, a multi-phase remediation plan was activated. This has included cutting off the various pathways the intrusion affected and upgrading systems to eradicate this breach.
This intrusion was focused on credit and debit card information. There is no evidence of any other personal information being compromised. Burgerville is working with its customers and employees to address the effects of this incident.
The organization responsible for this breach is believed to be Fin7, a sophisticated international cybercrime group. On August 1, 2018, the U.S. Department of Justice issued a press release announcing the apprehension of three members of this group who have been connected with launching cyberattacks on more than 100 companies across 47 states. The press release mentions that there was a wave of attacks on local businesses specifically in Western Washington, which includes Burgerville.
The tactics of this particular group of hackers make it very difficult to know exactly how many people were directly affected and exactly which card numbers were stolen. They are adept at concealing their digital footprints. Since we can’t say specifically which card numbers were taken, we encourage everyone who used a card at a Burgerville location between September 2017 and September 30, 2018, to closely monitor their debit or credit card activity.
No one should be contacting you unless you first initiated contact.
* Don’t give out personal information on the phone, through the mail, or on the Internet unless you’ve initiated the contact and are sure you know who you’re dealing with.
* If you receive an email with a link or enter a transaction online, confirm that you are dealing with a legitimate organization before sharing any personal information. Check an organization’s website by typing its URL in the address line, rather than cutting and pasting it. Many companies post scam alerts when their name is used improperly. Or, call their customer service using the number listed on your account statement or in the telephone book.
* Beware of links in emails. If you see a link in a suspicious email link, don’t click on it. Hover your mouse on the link without clicking it to see if the hyperlinked address matches the link that was typed in the message.
If you have used a credit or debit card at Burgerville between September 2017 and September 30, 2018, you should:
* Review your card statements for any unauthorized charges. If you see something suspicious, contact your credit or debit card company immediately to report the activity.
* Set up credit/debit card account alerts. They are often the fastest and most effective way for you to know if there are fraudulent charges being made on your existing credit/debit card account, as these types of alerts provide real-time information to you about transfers, payments, and other transactions being made. Almost every bank and credit/debit card issuer provides account alerts for free as a service to consumers, and you can usually set them up by logging in to your online credit/debit card account or calling the telephone number on your card or statement.
* Obtain a copy of your credit report and look for unauthorized activity there, too. You can get a free copy of your credit report once every 12 months from each of the three top credit reporting agencies. To obtain your annual free credit report, please visit www.annualcreditreport.com or call 1-877-322-8228.
* You may also want to consider freezing your credit. As of September 21, 2018, freezing your credit is a free service provided by the three major credit bureaus. Go to each of the credit bureau websites linked below and locate the security freeze information.
* Burgerville has set up additional support online at burgerville.allclearid.com and though a service center which can be reached by calling 1-855-336-6688 (toll-free, US only), anytime between the hours of 6:00am-6:00pm (PST) Monday through Saturday.
Burgerville has neutralized the malware placed on its network during the breach. The company will continue to work with its cybersecurity firm to evaluate and upgrade its security systems.
Burgerville doesn’t store customers’ credit card numbers. The malicious software that was installed on its system by the hackers does. This malicious software has been fully contained.
Other than those who have publicly disclosed data breaches, as named in the Justice Department’s press release, Burgerville has not been provided the names of any other impacted companies.
The timeline of events is as follows:
August 22, 2018: Burgerville was contacted by the FBI regarding a data breach that had occurred in September 2017, a year ago. It was believed to have been a brief intrusion that no longer existed. In cooperation with the FBI, Burgerville immediately launched a full forensic investigation with the assistance of a team of cybersecurity professionals. Burgerville agreed to maintain the confidentiality of the breach as part of an active law enforcement investigation and to ensure that all pathways that the hackers were using could be identified and removed. Though this investigation, Burgerville was able to provide valuable evidence to the FBI.
September 19, 2018: Burgerville’s investigation revealed that the breach was still active. The company immediately began steps to remediate the breach, neutralizing the malware on its systems and ensuring that all access points to the hackers were effectively removed.
September 30, 2018: Burgerville completed its remediation plan. The operation had to be kept confidential until it was completed in order to prevent the hackers from creating additional covert pathways into the company’s network.
This was a sophisticated attack in which the hackers effectively concealed all digital traces of where they have been. However, in an abundance of caution, Burgerville recommends that anyone who visited their restaurants between September 2017 and September 2018 should consider that their data may have been compromised.
Updated at 4:24 am, Oct. 12, 2018