Burgerville says thousands of customers' credit and debit card information may have been compromised during a cyberattack it learned of in late August.

The Vancouver-based fast-food chain says anyone who used plastic at its restaurants between September 2017 through last week should carefully watch their card statements for unauthorized charges. In addition, the chain recommends customers obtain a copy of their credit report to look for unauthorized information and consider freezing their credit.

"In an abundance of caution, Burgerville recommends that anyone who visited their restaurants between September 2017 and September 2018 should consider that their data may have been compromised," the company said in a written statement. Burgerville has 47 restaurants in Oregon and southwest Washington.

Burgerville said it learned of the breach from the FBI late in August. The chain didn't acknowledge the issue until Wednesday. The company said its first priority was to contain the breach and close off cybercriminals' access to its systems.

The Burgerville attack was conducted by an international cybercrime group based in Eastern Europe, according to the company. The U.S. Department of Justice said in August that the group, called "FIN7", attacked more than 100 American companies in 47 states.

Authorities said the attack primarily affected companies in the restaurant, gaming and hospitality industries, including Chipotle Mexican Grill, Chili's, Arby's, Red Robin and Jason's Deli.

Three Ukrainians have been indicted in connection with the attacks.

Burgerville said it doesn't know how many of its customers were affected. It provided a phone number, 877-322-8228, that anyone can call to get a free copy of their credit report. The same information is available online at annualcreditreport.com.

Prosecutors say the FIN7 cybercriminals launched attacks on businesses in the U.S. and abroad with emails designed to appear legitimate to a company's employees, following up with additional emails and phone calls to fool recipients into thinking the messages were authentic.

Attackers stole millions of credit and debit card numbers, according to authorities, and then sold them. Burgerville said there is no evidence the thieves stole other personal information.

The company said it first learned of the breach on Aug. 22 and initially believed it was "a brief intrusion that no longer existed." The company's investigation discovered on Sept. 29 that the breach remained active, so Burgerville began steps to neutralize it.

"The operation had to be kept confidential until it was completed in order to prevent the hackers from creating additional covert pathways into the company's network," Burgerville said in a written statement. It said it completed the operation to seal the breach on Sunday.

A Portland attorney, Michael Fuller, immediately filed a complaint in Multnomah County Circuit Court seeking class-action status for Burgerville customers potentially impacted by the breach.

Wednesday's complaint alleges Burgerville failed to adequately protect credit card information and seeks "fair compensation" for any losses. It says Burgerville could have limited economic harm by promptly notifying customers once it learned of the breach.

This article has been updated with additional detail from Burgerville and information in the newly filed civil complaint.

--

| twitter:

| 503-294-7699