Cyber Incident Victim: Noodles & Company

Noodles & Company disclosed a cybersecurity incident involving unauthorized access to payment card systems at certain restaurant locations between January 31, 2016, and June 2, 2016. The breach was first detected on May 17, 2016, when the company received reports of unusual credit card activity from its payment processing partners. This prompted an immediate investigation with third-party forensic experts to examine potential system compromises. By June 2, 2016, the investigation confirmed malware had infected backend card processing systems at affected locations, designed to extract payment card data during transaction routing. The compromised information included cardholder names, credit/debit card numbers, expiration dates, and internal verification codes. The breach impacted stores across 28 U.S. states, affecting over 400 of the chain's 410 locations as of 2014.

The company publicly confirmed the breach on June 29, 2016, emphasizing that not all locations were affected but providing no specific customer impact estimates. Chairman and CEO Kevin Reddy issued an apology for the incident, stating the organization took guest data security seriously and had engaged forensic investigators and law enforcement to secure systems. No details were disclosed regarding malware delivery methods, attacker attribution, or whether non-cardholder personal information was accessed. The breach timeline indicated continuous card data exposure for nearly five months before detection, with containment measures implemented following the June 2 confirmation. Consequences included fraudulent card activity reports from financial institutions, though the scale of financial losses or identity theft incidents wasn't quantified in available disclosures.