Add fast-casual restaurant chain Burgerville to the list of retail and hospitality companies victimized by the Eastern European cybercrime group FIN7.

The Vancouver, Wash.-based restaurant operator disclosed in an online security alert and FAQ page that it was infected with malware by FIN7, aka the Carbanak Group, resulting in a data breach that compromised customers’ payment card information.

The company, which has over 40 locations in the Pacific Northwest, said that any customers who visited a Burgerville restaurant between September 2017 and Sept. 30, 2018 are potentially impacted.

Burgerville said that it learned of the breach through the FBI on Aug. 22, at which point it launched a forensics investigation. But in an unusual twist, the company admits that it was under the impression that the intrusion had been a brief one — until the forensics investigation showed on Sept. 19 that the attack was still ongoing.

Only then did Burgerville take steps toward remediation, which was competed on Sept. 30 “This has included cutting off the various pathways the intrusion affected and upgrading systems to eradicate this breach,” the company stated in its alert.

Burgerville explained it did not announce the breach sooner because it was cooperating with law enforcement officials who requested for confidentiality during the investigation. Moreover, the remediation plan “had to be kept confidential until it was completed in order to prevent the hackers from creating additional covert pathways into the company’s network.”

The number of affected customer is apparently unknown, the company said, because “The tactics of this particular group of hackers make it very difficult to know exactly how many people were directly affected and exactly which card numbers were stolen. They are adept at concealing their digital footprints.”

On Aug. 1, 2018, the U.S. Department of Justice announced the arrest of three alleged FIN7 members, whom law enforcement officials believe helped the cybercrime gang target payment card and financial data processed by more than 100 U.S. companies. Past victims include Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, Jason’s Deli, and what the DOJ described as additional local businesses in Western Washington.