Just over 100 Checkers and Rally’s fast food joints and their customers were victimized by a long-running point-of-sale malware campaign that stole payment card information from purchases taking place as far back as December 2015, Checkers Drive-In Restaurants announced in an online breach notification yesterday.

The Tampa, Florida-based drive-thru chain said that approximately 15 percent of its locations were infected with the POS malware, listing 102 stores in 20 states: Alabama, Arizona, California, Delaware, Florida, Georgia, Illinois, Indiana, Kentucky, Louisiana, Michigan, Nevada, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Tennessee, West Virginia and Virginia. One additional Checkers and Rally’s location will be distributing a separate notification, the company added.

Customer purchase data was exposed over various blocks of time, depending on the location. In some cases, stores were affected over multiple years. A Rally’s in Los Angeles appears to the first one infected, with data compromised from Dec. 17, 2015 through March 26, 2018. A cluster of more recent attacks began in October of 2018, with the latest recorded date of compromise cited as April 30, 2019.

The notification, signed by Checkers Chief Administrative Officer and Executive Vice President Adam Noyes, did not identify the malware used in the cyberattack, but noted that it “was designed to collect information stored on the magnetic stripe of payment cards, including cardholder name, payment card number, card verification code and expiration date.” Based on collective evidence, it appears that no other cardholder personal information was impacted, the document added.

Although not every consumer who made a purchase at a targeted location was affected, Checkers was not able to discern which individuals were impacted and which were not. Consequently, the company is urging past customers to investigate the matter themselves by checking their payment card statements for fraudulent activity.

Checkers also did not indicate precisely when it first became aware of the incident, but it did state that the company responded by engaging with law enforcement authorities and payment card companies, and tasking leading data security experts to conduct an extensive investigation and remove the malware.

Noting that attackers “had years to make use of the stolen financial data and cover their tracks,” Shlomie Liberow, senior technical program manager at HackerOne, said in emailed comments that the breach “reminds us that any connected device is an attack surface and it’s not just online stores that face cybercriminal activity…”

“We can see this as almost the modern equivalent of ‘robbing the till,’ except in this example, it’s very much Checkers’ customers who are going to be financially disadvantaged here,” Liberow continued. “While it is yet to be confirmed if money was stolen from affected customers, unfortunately, it’s now going to be up to those individuals who think they did pay for fast food at any point in the last [few] years at the affected outlets to check their bank statements and credit reports to alert their providers to any fraudulent activity.”