Darden Restaurants suffered a point-of-sale system data breach at certain of its Cheddar’s Scratch Kitchen locations that exposed at least 567,000 payment card numbers.

The breach took place between November 3, 2017, and January 2, 2018, in Cheddar’s located in 23 states nationwide. The company did not detail how many locations were affected, but the chain operates 156 Cheddar’s facilities and overall the company runs 1,700 restaurants. Darden said payment card information, including card numbers, were likely exposed.

“Our current systems and networks were not impacted by this incident. In fact, this incident occurred on a legacy Cheddar’s system that was permanently disabled and replaced by April 10, 2018, as part of our integration process,” the company said in a statement.

A third-party forensic team has been called in to investigate the incident and Darden has arranged for ID Experts to provide identity protection services at no cost to those customers possibly affected.