The hack of credit-card-processing terminals at PF Chang's hit 33 of the company's locations across the U.S. and continued for around eight months, the company said Monday.
The restaurant chain operator first disclosed a possible hack of its credit- and debit-card-processing system in mid-June, but Monday was the first time it detailed which of its restaurants had been hit.
Eight locations had data stolen over an eight-month period from Oct. 19, 2013, until June 11, 2014. Data theft began at a second batch of eight restaurants on Feb. 21, and at another 15 restaurants on April 10, both ending on June 11. At two additional restaurants, theft began on Oct. 19, 2013, and ended on Oct. 26, 2013, and April 10, 2014, respectively.
The U.S. Secret Service tipped off PF Chang's to the breach, which was later termed by the company as "part of a highly sophisticated criminal operation."
An investigation into the breach is still going on.
"The potentially stolen credit and debit card data includes the card number and in some cases also the cardholder's name and/or the card's expiration date," the company said in a statement. "However, we have not determined that any specific cardholder's credit or debit card data was stolen by the intruder."
After the breach, the restaurant switched to manual credit card imprint machines, but has since gone back to a more secure digital system.
PF Chang's is offering fraud alert services with credit monitoring bureaus to customers who might have been affected. A list of the restaurants that were hit are listed on its website.
Sign up for CIO Asia eNewsletters.