Cyber Incident Victim: Wingstop Inc.

In 2015, Texas-based restaurant chain Wingstop disclosed that malware had compromised point-of-sale (POS) systems at four independently operated locations, potentially exposing customer payment card data. The affected sites included establishments in Corpus Christi, Texas, and Union City, California, where malware was active from June 4, 2014, to July 31, 2014. A Grand Prairie, Texas location experienced two separate infection periods: May 5, 2012, to June 27, 2012, and November 11, 2012, to December 9, 2012. While malware was not confirmed at the Lubbock, Texas location, the company reported suspicious activity involving approximately 20 payment cards used there during a timeframe overlapping with other incidents. The malware specifically targeted cardholder names, account numbers, and expiration dates, with no evidence suggesting compromise of PINs, email addresses, or physical mailing addresses. Wingstop did not provide an estimate of affected customers but urged vigilance among patrons who visited these locations during the specified periods.

Upon discovering the breaches, Wingstop removed and replaced all internet-connected POS hard drives at the compromised locations with new systems. The company implemented enhanced security controls across its franchise network to strengthen POS system protections. All potentially impacted customers received offers for complimentary identity theft protection services valid for one year. Wingstop's public FAQ advised customers to review payment card statements for unauthorized charges and report suspicious activity to financial institutions. Forensic investigations found no evidence of malware on POS systems at other Wingstop locations beyond the four confirmed sites. The incident highlighted vulnerabilities in franchise-operated payment systems during a period of widespread POS malware attacks targeting the food service industry.