Dear Valued Guest,

On June 28, 2016, we announced that a recent data security incident may have compromised the security of payment information of some guests who used debit or credit cards at certain Noodles & Company locations between January 31, 2016 and June 2, 2016. We contained the incident once the malware was identified and credit and debit cards used at the affected locations identified are no longer at risk from the malware involved in this incident. Guests can safely use their credit and debit cards at Noodles & Company locations.

We have issued the statement below to provide more information to our guests regarding this incident, our response and the steps you can take to better protect against fraud and identity theft.

In an era where sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance. We encourage you to review your account statements regularly and monitor your credit reports for suspicious activity. Please read the statement below to find out more about the incident, how it may impact you and the resources available to you to better protect against fraud and identity theft.

If you have any questions or would like more information, please call us at 888-849-1067. Representatives are available to answer your questions 9 a.m. to 9 p.m. EDT Monday through Friday (excluding U.S. holidays). Any additional information on this incident will continue to be posted here.

We appreciate your patience and thank you for your continued support.

Sincerely,

Kevin Reddy

Chairman & CEO

Press Release

Noodles & Company Provides Notice of Data Security Incident

Broomfield, Colorado, June 28, 2016 – Noodles & Company (NASDAQ: NDLS) today announced that a recent data security incident may have compromised the security of payment information of some guests who used debit or credit cards at certain Noodles & Company locations between January 31, 2016 and June 2, 2016. Credit and debit cards used at the affected locations are no longer at risk from the malware involved in this incident.

What Happened? On May 17, 2016, Noodles & Company began investigating unusual activity its credit card processor reported to the Company. Noodles & Company immediately began working with third-party forensic experts to investigate these reports and to identify any signs of compromise on its computer systems. On June 2, 2016, Noodles & Company discovered suspicious activity on its computer systems that indicated a potential compromise of guests’ debit and credit card data for some debit and credit cards used at certain Noodles & Company locations.

Since that time, Noodles & Company has been working with third-party forensic investigators to determine how the security compromise occurred and what information was affected. The Company is also working to implement additional procedures to further secure guests’ debit and credit card information, including removing the malware at issue to contain this incident and to prevent any further unauthorized access to guests’ debit or credit card information.

Credit and debit cards used at the affected locations are no longer at risk from the malware involved in this incident. Guests can safely use their credit and debit cards at Noodles & Company locations. Noodles & Company is working with the United States Secret Service to investigate this incident. This notice has not been delayed by law enforcement.

What Information Was Involved? Through the ongoing third-party forensic investigations, Noodles & Company confirmed that malware may have stolen credit or debit card data from some credit and debit cards used at certain Noodles & Company locations between January 31, 2016 and June 2, 2016. The information at risk as a result of this event includes the cardholder’s name, card number, expiration date, and CVV. A list of impacted Noodles & Company locations is available at www.noodles.com/security. This incident did not involve online debit or credit card transactions at www.noodles.com. This incident did not involve guests’ Social Security numbers as this information is never collected by Noodles & Company.

What We Are Doing. “Noodles & Company takes the security of our guests’ information extremely seriously, and we apologize for the inconvenience this incident has caused our guests,” Kevin Reddy, Chairman and Chief Executive Officer of Noodles & Company, stated. Reddy expanded, “We continue to work with third-party forensic investigators and law enforcement officials to ensure the security of our systems on behalf of our guests.”

For More Information. Noodles & Company has established a dedicated assistance line for individuals seeking additional information regarding this incident. Guests can call 888-849-1067, 9 a.m. to 9 p.m. EDT, Monday through Friday (excluding U.S. holidays). Guests can also find information on this incident and what they can do to better protect against fraud and identity theft at www.noodles.com/security.

What You Can Do. Noodles & Company encourages all guests to remain vigilant against identity theft by reviewing their financial account statements regularly and monitoring their credit reports for suspicious activity. Guests should immediately report any unauthorized charges to their card issuer. The phone number to call is usually on the back of the credit or debit card. Under U.S. law, guests over the age of 18 are entitled to one free credit report annually from each of the three major credit bureaus. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Guests may also contact the three major credit bureaus directly to request a free copy of their credit report.

Noodles & Company encourages guests who believe they may be affected by this incident to take additional action to further protect against possible identity theft or other financial loss. At no charge, guests can have these credit bureaus place a “fraud alert” on their file, alerting creditors to take additional steps to verify their identity prior to granting credit in their name. Note, however, that because it tells creditors to follow certain procedures to protect the guest, a fraud alert may also delay guests’ ability to obtain credit while the agency verifies their identity. As soon as one credit bureau confirms a guest’s fraud alert, the others are notified to place fraud alerts on the guest’s file. Should guests wish to place a fraud alert or have any questions regarding their credit reports, they may contact any one of the agencies listed below.

Equifax P.O. Box 105069 Atlanta, GA 30348 800-525-6285 www.equifax.com Experian P.O. Box 2002 Allen, TX 75013 888-397-3742 www.experian.com TransUnion P.O. Box 2000 Chester, PA 19022-2000 800-680-7289 www.transunion.com

Guests may also place a security freeze on their credit reports. A security freeze prohibits a credit reporting agency from releasing any information from a guest’s credit report without the consumer’s written authorization. However, guests should be aware that placing a security freeze on their credit reports may delay, interfere with or prevent the timely approval of any requests they make for new loans, credit mortgages, employment, housing, or other services. If a guest has been a victim of identity theft and provides a credit reporting agency with a valid police report, the agency cannot charge the guest to place, lift or remove a security freeze. In all other cases, a credit reporting agency may charge a fee to place, temporarily lift or permanently remove a security freeze. Guests will need to place security freezes separately with each of the three major credit bureaus listed above if they wish to place a freeze on all of their credit files. To find out more about how to place a security freeze, guests can contact the credit reporting agencies using the information below:

Equifax Security Freeze P.O. Box 105788 Atlanta, GA 30348 1-800-685-1111 (NY residents please call 1-800-349-9960) http://www.equifax.com/help/credit-freeze/en_cp Experian Security Freeze P.O. Box 9554 Allen, TX 75013 1-888-397-3742 https://www.experian.com/freeze/center.html TransUnion Fraud Victim Assistance P.O. Box 2000 Chester, PA 19022 Fraud Division 888-909-8872 http://www.transunion.com/credit-freeze/place-credit-freeze

Guests can further educate themselves regarding identity theft, fraud alerts and the steps they can take to protect themselves, by contacting the Federal Trade Commission or their state attorney general. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001, 1-919-716-6400, www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202, 1-888-743-0023, www.oag.state.md.us. And the Federal Trade Commission can be reached at 600 Pennsylvania Avenue NW, Washington, D.C. 20580, www.ftc.gov/idtheft/, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with the Commission. Guests can obtain further information on how to file such a complaint by way of the contact information listed above. Instances of known or suspected identity theft should also be reported to law enforcement.

About Noodles & Company

Noodles & Company is a fast-casual restaurant chain where its globally inspired dishes come together to create a World Kitchen. Recognized by Parents Magazine as a Top Family Friendly Restaurant, and Health Magazine as one of America’s Healthiest Fast Food Restaurants, Noodles & Company is a restaurant where Japanese Pan Noodles rest comfortably next to Penne Rosa and Wisconsin Mac & Cheese, but where world flavors don’t end at just noodles. Inspired by some of the world’s most celebrated flavor combinations, Noodle & Company’s menu offers soups, salads, sandwiches and shareables, too. Everything is made fresh to order, just as you like it, using quality ingredients. Dishes are delivered to the table allowing guests time to sit and relax or grab a quick bite. With more than 500 locations nationwide, from California to Connecticut, guests can find a location nearest them and take a tour of the global World Kitchen menu by visiting www.noodles.com.

FAQs

Q1. WHAT HAPPENED?

A1. A recent data security incident may have compromised the security of payment information of some guests who used debit or credit cards at certain Noodles & Company locations between January 31, 2016 and June 2, 2016. Credit and debit cards used at the affected locations are no longer at risk from the malware involved in this incident.

On May 17, 2016, Noodles & Company began investigating unusual activity its credit card processor reported to the Company. Noodles & Company immediately began working with third-party forensic experts to investigate these reports and to identify any signs of compromise on its computer systems. On June 2, 2016, Noodles & Company discovered suspicious activity on its computer systems that indicated a potential compromise of guests’ debit and credit card data for some debit and credit cards used at certain Noodles & Company locations.

Since that time, Noodles & Company has been working with third-party forensic investigators to determine how the security compromise occurred and what information was affected. The Company has confirmed that malware may have stolen credit or debit card data from some credit and debit cards used at certain Noodles & Company locations. The Company is also working to implement additional procedures to further secure guests’ debit and credit card information, including removing the malware at issue to contain this incident and to prevent any further unauthorized access to guests’ debit or credit card information.

Credit and debit cards used at the affected locations identified are no longer at risk from the malware involved in this incident. Guests can safely use their credit and debit cards at Noodles & Company locations. Noodles & Company is working with the United States Secret Service to investigate this incident.

Q2. WHEN DID NOODLES & COMPANY DISCOVER THIS INCIDENT?

A2. On June 2, 2016, Noodles & Company discovered suspicious activity on its computer systems that indicated a potential compromise of guests’ debit and credit card data for some debit and credit cards used at certain Noodles & Company locations.

Q3. WHAT IS NOODLES & COMPANY DOING IN RESPONSE TO THIS INCIDENT?

A3. Since discovering this incident, Noodles & Company has been moving forward on a number of fronts. These include:

Working with third-party forensic investigators to determine how the security compromise occurred and what information was affected. The Company is working to implement additional procedures to further secure guests’ debit and credit card information, including removing the malware at issue to contain the incident and prevent any further unauthorized access to guests’ debit or credit card information.

Noodles & Company contained the incident once the malware was identified and credit and debit cards used at the affected locations identified are no longer at risk from the malware involved in this incident. Guests can safely use their credit and debit cards at Noodles & Company locations.

Cooperating with the United States Secret Service to investigate this incident.

Providing guests who may be affected by this incident with guidance on how to better protect against the possibility of fraud and identity theft.

Noodles & Company also established a dedicated assistance line for individuals seeking additional information regarding this incident. Guests can call 888-849-1067, 9 a.m. to 9 p.m. EDT, Monday through Friday (excluding U.S. holidays).

Q4. WHAT INFORMATION IS AT RISK?

A4. The information at risk as a result of this event includes the cardholder’s name, card number, expiration date, and CVV. This incident did not involve online debit or credit card transactions at www.noodles.com. This incident did not involve guests’ Social Security numbers as this information is never collected by Noodles & Company.

Q5. WHICH NOODLES & COMPANY LOCATIONS IN THE U.S. WERE IMPACTED BY THIS INCIDENT?

A5. Please click on a state below to see a list of affected restaurants in that state:

Q6. IS IT SAFE FOR GUESTS TO USE THEIR CREDIT CARD/DEBIT CARD AT NOODLES & COMPANY LOCATIONS?

A6. Yes, we have identified the malware and contained the incident. Credit and debit cards used at the affected locations identified are no longer at risk from the malware involved in this incident. Guests can safely use their credit and debit cards at Noodles & Company locations.

Q7. WHAT SHOULD I DO IN RESPONSE TO THIS INCIDENT?

A7. Noodles & Company encourages all guests who may be impacted to be vigilant in monitoring your credit and debit card statements for any suspicious charges. If you identify any suspicious charges on your statement, you should immediately report these charges to your card issuer. The phone number to call is usually on the back of the credit or debit card. As a reminder, this incident did not involve any guest Social Security numbers, as this information is never collected or maintained by Noodles & Company. While your Social Security number is not at risk as a result of this incident, you can you can review the information in the release posted above for more general guidance on how to better protect against the possibility of identity theft involving your Social Security number.

Q8. WOULD NOODLES & COMPANY EVER CONTACT ME ASKING FOR MY PERSONAL FINANCIAL INFORMATION?

A8. No. Noodles & Company will never ask you to provide personal financial information in an email or by telephone. You should always be suspicious of any unsolicited communications that ask for your personal financial information or refer you to a web page asking for personal financial information.

Q9. WHERE CAN I GET MORE INFORMATION?

A9. If you have any questions or would like additional information regarding this incident, please call our dedicated assistance line toll-free at 888-849-1067, 9 a.m. to 9 p.m. EDT, Monday through Friday (excluding U.S. holidays).

To download a PDF viewer, click here.