Caribou Coffee reports data breach including payment information at 265 stores

American coffee seller Caribou Coffee recently suffered a breach exposing customer payment data at 265 U.S. stores for roughly three months, according to a notice posted to the company’s website.

The retailer says an outsider had unauthorized access to point-of-sale systems at affected locations between Aug. 28 and and Dec. 3. Hackers may have accessed customer names, payment card numbers, expiration dates and security codes. The company says payments made through its rewards program were not affected.

Caribou says that it detected “unusual activity” on its network on Nov. 28, which prompted it to hire Mandiant, a cybersecurity incident response company owned by FireEye. Mandiant identified the issue within two days, the notice says, although customers may have been affected through Dec. 3.

Caribou says it’s working to beef up its network security and its payment system in order to better protect customer information. It also says it’s working with the FBI, which is conducting an “ongoing review.” Caribou also is notifying customers about the breach via email.

The notice urges customers to check if they visited an affected store and review their payment card statements and credit reports.

“We sincerely apologize that this breach occurred and assure you that our team is working to help prevent data security issues from occurring in the future,” the company said. “The privacy and security of your information is very important to us and we remain committed to doing everything we can to maintain the confidentiality of your information.”

Based in Minneapolis, Caribou owns or licenses 450 stores in the U.S. and 297 stores abroad.