Caribou Coffee Co. disclosed Thursday that customers' credit card numbers and other security information may have been accessed as part of a data breach it first noticed on Nov. 30.
The company declined to say how many people were affected. In a notice posted on its website and sent to media organizations, Caribou Coffee listed 265 company-owned stores that were tied into the point-of-sale system that was attacked.
Most of the stores are in Minnesota, but the notice includes coffee shops in 10 other states.
Caribou said that customers who made a purchase with a credit or debit card between Aug. 28 and Dec. 3 may have had their name, credit card number, expiration date and security code stolen.
A letter from Caribou Coffee President John Butcher said the company reported the security breach to the FBI.
The company also is working with a leading cybersecurity firm to understand the scope of the incident, which explained the lag between when the breach was first discovered and when Caribou made an attempt to notify customers. The company said the investigation is ongoing.
Payments made through the Caribou Coffee Perks account or other loyalty accounts were not affected. Likewise not affected were catering orders placed online with sister brands under corporate owner JAB Holding Company: Bruegger's Bagels, Einstein Bros. Bagels, Manhattan Bagel and Noah's NY Bagels.
The company has set up a toll-free hotline at 1-877-698-3760, staffed Monday through Friday from 8 a.m. to 8 p.m. and weekends from 8 a.m. to 4 p.m. Consumers can also e-mail firstname.lastname@example.org.
Operators can pinpoint store locations that were part of the security breach, but will not be able to say whether individual accounts were compromised. The company encourages customers to remain vigilant by reviewing account statements and free credit reports for unauthorized activity.
Caribou sent e-mails to all of its Perks Reward members Thursday afternoon, letting them know of the breach. It said workers at stores were trained to answer customer questions. It did not put up signs in stores alerting customers that their financial data may have been compromised.
Caribou placed a link at the top of its web page, as well as those of Bruegger's, Einstein and its other brands, but it is dwarfed by a full-page graphic promoting its holiday drinks.
In the letter, Butcher said Caribou is closely monitoring its systems, data and account access.
"Additionally, we are making the necessary changes to strengthen our network against any future attacks, and improve our payment systems to protect your information going forward," according to the letter.
With headquarters in Brooklyn Center, Caribou Coffee is one of the largest company-operated premium coffeehouse chains in the United States. It has 273 company stores and 127 franchises in 18 states and 10 countries, according to its website, which says the data is current as of 2015.
It was purchased for $340 million by a privately held conglomerate, the Luxembourg-based JAB, in 2012.