When Zaxby’s Franchising Inc. announced that it was investigating the possible exfiltration of customer card information at 108 of their franchises, I contacted them to try to get more information. Unfortunately, their answers do not really shed additional light.
In a statement to DataBreaches.net, spokesperson Debbie Andrews did not directly answer the question as to when Zaxby’s first learned of the problem, stating only that, “After receiving information from several sources about potential fraud at certain Zaxby’s locations, Zaxby’s Franchising, Inc. hired a respected global security firm to lead an intensive forensic investigation and began to provide resources to our licensees, and in November 2012, we notified appropriate law enforcement of potential criminal activity.”
So when did Zaxby’s first get wind that there might be a breach? In August? September? July? October? Their notice does not provide any timeframe for consumers. Some of that may be due to the fact that as of Monday, they still did not appear to have confirmed or disconfirmed whether customer data was actually exfiltrated by any of the franchises’ systems, but they could have told us when they first were alerted to problems, and they have not done that.
Nor could they state when the malware got inserted on systems or how it got inserted. According to their statement to this site
Zaxby’s Franchising, Inc. has not determined the precise timing of when malware was placed on each licensees’ system…. Zaxby’s Franchising, Inc. is not certain at this point [how the malware got inserted]. We are working closely with each of our affected licensees to assist them in responding to the incident.
Okay, but without a timeframe or an estimate of when the window may have opened, anyone who’s used their card at a Zaxby’s store identified as affected is left wondering if their transaction was processed during a time when systems were compromised and may have been exfiltrating their information.
Better safe than sorry: if you’ve used your card at a Zaxby’s store on this list, I would suggest you check your card statements going back to August – or even earlier to be more cautious. Hopefully Zaxby’s will decide to be more forthcoming about when they were first contacted – either by customers or the credit card companies – while they continue to investigate.