American fast-food chain Noodles and Company says malware got into its sales registers, allowing it to slurp customers' payment card numbers.

The biz admitted today that hundreds of restaurants in 28 US states were infected with card-stealing software nasties that harvested customer card names, numbers, expiration dates, and CVV codes. The malware was believed to have been active and siphoned card details between January 31 and June 2 of this year.

The malicious code was discovered on June 2, two weeks after a credit card processor told Noodles and Co it had detected fraudulent activity on payment cards used at the store. An investigation uncovered the malware in tills around the country (in California alone, more than 20 locations were listed.)

The company would not tell The Register how many payment cards were potentially harvested in the attack. "That's not a number we have," a spokesperson said.

Cards used for online purchases were not affected.

"Noodles & Company takes the security of our guests' information extremely seriously, and we apologize for the inconvenience this incident has caused our guests," chairman and CEO Kevin Reddy said in his obligatory statement on the breach.

"We continue to work with third-party forensic investigators and law enforcement officials to ensure the security of our systems on behalf of our guests."

Customers who spot unauthorized charges on their cards are being advised to contact their financial institutions to report the fraudulent charges, and consider placing a credit freeze to prevent further fraud.

Noodles and Co is not the first national chain to be hit with card-stealing malware infections on its sales terminals, and it will certainly not be the last.

Criminals have managed to infiltrate the networks of major chains including big-box retailer Target and Hilton Hotels and steal payment card details in the tens of millions. Researchers say that POS malware infections are "epidemic" throughout the retail world. ®