NOTICE OF POTENTIAL PAYMENT CARD INCIDENT

What Happened?

On The Border is actively investigating a security incident that involves a payment processing system that services some of our restaurants. On November 14, 2019, we determined that some of our guests’ payment card information was accessed through malware installed on a payment processing system.

Our company has retained a leading forensics firm and is currently investigating the extent to which information in On The Border’s system has been impacted. We are cooperating with law enforcement and have also notified payment card networks of the investigation.

We have learned that the security incident may have involved payment cards processed at certain restaurants between April 10, 2019, through August 10, 2019. Not all On The Border restaurants have been impacted by this incident. Additionally, this incident does not affect guests who have made purchases for catering orders, nor does it affect our franchisees. We have already taken steps to contain and remediate the incident. We have determined this incident involves certain On The Border restaurants in the following states: Arizona, Arkansas, Colorado, Connecticut, Florida, Georgia, Illinois, Indiana, Iowa, Kansas, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, New Jersey, New York, North Carolina, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, and Virginia.

To ensure guests have the latest information, we have set up a dedicated page on our website – https://www.ontheborder.com/security. Guests may call our call center at 888-682-6882, which is open between 8 a.m. and 5 p.m. CST Monday through Friday (excluding federal holidays).

On The Border is committed to protecting the privacy and security of our guests and will continue to take quick action. While our investigation continues, we remind all of our guests to be vigilant and that it is always good practice to review your payment card statements regularly and report any unusual or unauthorized purchases to your financial institution.

When Did This Happen?

We believe that payment cards used at certain restaurants between April 10, 2019, through August 10, 2019, may have been impacted.

What Information Was Involved?

We believe the security incident impacted only payment card information which could include names, credit card numbers, credit card expiration dates, and credit card verification codes. We do not collect social security numbers, full dates of birth, or identification numbers of guests. Therefore, those identifiers were not compromised.

What We Are Doing.

On The Border values the privacy and the trust placed in us by our guests. We regularly update and strengthen our systems and processes to help prevent unauthorized access. Upon learning of this incident, we immediately began remediating the issue by working to identify and remove the malware which led to the potential compromise. As part of our ongoing commitment to protecting guest information and privacy, we are working with leading partners in cybersecurity to strengthen and enhance the security of our systems as we go forward.

Our investigation into this incident is ongoing. We will continue to exercise vigilance and use what we have learned from this incident to strengthen our safeguards. We have notified the payment card networks and law enforcement of this incident and we are cooperating with each of their investigations.

For More Information.

We have set up a dedicated page on our website – https://www.ontheborder.com/security – where we will post information and any updates about this incident.

What You Can Do.

1. Review your credit reports, and debit and credit card statements.

Place Fraud Alerts

Place Fraud Alerts with the three credit bureaus. You can place a fraud alert at one of the three major credit bureaus by phone and also via Experian’s or Equifax’s website. A fraud alert tells creditors to follow certain procedures, including contacting you, before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit. The contact information for all three bureaus is as follows:

Equifax Fraud Reporting
1-866-349-5191
P.O. Box 105069
Atlanta, GA 30348-5069
www.alerts.equifax.com

Security Freeze

By placing a security freeze, someone who fraudulently acquires your personal identifying information will not be able to use that information to open new accounts or borrow money in your name. You will need to contact one of the three national credit reporting bureaus listed above to place the freeze. Keep in mind that when you place the freeze, you will not be able to borrow money, obtain instant credit, or get a new credit card until you temporarily lift or permanently remove the freeze. There is no cost to freeze or unfreeze your credit files.

Additional Information

You can obtain additional information about the steps you can take to avoid identity theft from the following agencies. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them, at https://www.identitytheft.gov/.

California Residents: Visit the California Office of Privacy Protection (http://www.ca.gov/Privacy) for additional information on protection against identity theft. .

Kentucky Residents: Office of the Attorney General of Kentucky, 700 Capitol Avenue, Suite 118 Frankfort, Kentucky 40601, www.ag.ky.gov, Telephone: 1-502-696-5300.

Maryland Residents: Office of the Attorney General of Maryland, Consumer Protection Division 200 St. Paul Place Baltimore, MD 21202, www.oag.state.md.us/Consumer, Telephone: 1-888-743-0023.

New Mexico Residents: You have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to be provided to employers; you may limit “prescreened” offers of credit and insurance you get based on information in your credit report; and you may seek damages from a violator. You may have additional rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. You can review your rights pursuant to the Fair Credit Reporting Act by visiting www.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf, or by writing Consumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580.

North Carolina Residents: Office of the Attorney General of North Carolina, 9001 Mail Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov, Telephone: 1-919-716-6400

Oregon Residents: Oregon Department of Justice, 1162 Court Street NE, Salem, OR 97301-4096, www.doj.state.or.us/, Telephone: 877-877-9392.

Rhode Island Residents: Office of the Attorney General, 150 South Main Street, Providence, Rhode Island 02903, www.riag.ri.gov, Telephone: 401-274-4400.

All US Residents: Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW Washington, DC 20580, www.consumer.gov/idtheft, 1-877-IDTHEFT (438-4338), TTY: 1-866-653-4261.