Church's Chicken said it is investigating a possible data breach involving credit and debit card information at some of its company owned locations in the U.S., where it operates quick service restaurants in 11 states. 

The company said an unauthorized third party may have accessed its payment processing systems at some of its 165 restaurants in the U.S., and it has notified federal authorities, credit reporting agencies and retained a cybersecurity forensics firm to probe the incident. The company security update page says the incident took place in 2019 and involved payment card numbers, names and dates. A list of locations possibly affected by the breach is on the site.

"Our company has retained a leading cybersecurity firm to help us determine exactly what happened and what more we can do moving forward to keep our customer's data secure," the company said in a statement. "We are also cooperating with federal law enforcement and have notified the payment card networks and credit reporting agencies to mitigate any potential harm to our customers."

Church's operates more than 1,500 locations in 25 countries worldwide, however, the incident only impacted some of its 165 company owned locations in the U.S. The company owns restaurants in Alabama, Arkansas, Florida, Georgia, Illinois, Louisiana, Mississippi, Missouri, South Carolina, Tennessee and Texas. 

A spokesperson said that customer payment card data impacted was only at point-of-sale or drive thru locations and not online or on apps. The company website said that orders through third-party delivery apps are run through a separate system and are not impacted. 

Cover image: iStock.