Fast-food chain Burgerville revealed Wednesday that its customers’ credit and debit card information was stolen by the international cybercrime group known as FIN7.
The company, which has over 40 locations in Oregon and Washington, said customers that used a credit card at any of its locations between September 2017 and September 2018 should consider their cards compromised.
Burgerville says the information taken includes names, card numbers, expiration dates and CVV numbers.
“We realize that this intrusion was not only on Burgerville’s system, but also on your life,” Burgerville interim CEO Jill Taylor wrote in a letter to customers. “This isn’t what you expected to happen when you came to visit one of our locations.”
The company learned of the intrusion in August when the FBI reached out after it announced the arrest of three men tied to FIN7. In the indictment, the Department of Justice named a number of businesses based in Washington, but had not revealed that Burgerville was among those affected.
The company further learned in September that the malware responsible for stealing credit card information was still active on its systems. The company it has since been removed with the help of a private cybersecurity firm.
FIN7 has long targeted restaurant systems, along with other retail and hospitality companies.
Three men from Ukraine — Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30 — were labeled as the alleged masterminds of FIN7 after their arrests were announced in August. They were charged with 26 felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft.