February 14, 2019

Taco Bueno Reports Findings from Investigation of Payment Card Incident

Taco Bueno is providing additional information about the payment card incident that we first reported on November 30, 2018. This notice explains the incident, the measures we have taken, and some steps you can take in response.

After receiving a report from a third party on October 29, 2018, suggesting there may have been unauthorized access to data from payment cards that were used at certain Taco Bueno restaurants, we immediately launched an investigation and engaged leading cybersecurity experts to assist us in looking for signs of an issue.

The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (“POS”) devices at certain Taco Bueno restaurants. Taco Bueno started deploying an end-to-end encryption (“E2EE”) payment processing solution at some of its restaurants beginning in June 2017. For restaurants that had this E2EE solution installed, the malware would not be able to access payment card data from cards used on those devices after the E2EE solution was installed. For those restaurants where it had not yet been installed, the malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected.

The specific time frames when data from cards used at restaurants without the E2EE solution may have been accessed vary by restaurant over the general time frame of May 4, 2018 to November 22, 2018. There is one restaurant where access to card data may have started on March 22, 2018. There were earlier attempts to access systems at certain restaurants, but there is no evidence of attempts to access payment card data at those times. A list of the Taco Bueno restaurants involved and specific time frames is available here.

It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card. Please see the section that follows this notice for additional steps you may take.

During the investigation, we removed the malware, and we continue to work with cybersecurity experts to evaluate ways to enhance our security measures. In addition, we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.

We regret that this incident occurred and apologize for any inconvenience. If you have questions, you can call 877-845-7568 Monday through Friday between the hours of 8:00 a.m. and 8:00 p.m. CST.

Additional Steps You Can Take

We remind you it is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:

Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111

Experian, PO Box 2002, Allen, TX 75013, www.experian.com, 1-888-397-3742

TransUnionTransUnion, PO Box 2000, Chester, PA 19016, www.transunion.com, 1-800-916-8800

If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows:

Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW Washington, DC 20580, 1-877-IDTHEFT (438-4338), www.ftc.gov/idtheft