Splash Car Wash officials said Wednesday they learned in mid-May of a possible data security breach that resulted in the compromise of a portion of patrons' credit card information.
"Once we learned of the compromise, our team immediately communicated with banking institutions and federal investigators, in addition to conducting our own comprehensive investigation," Mark Curtis, founder and CEO of the Greenwich-based company said in a statement on Wednesday. "Ultimately, we discovered there was a confirmed external breach, and we quickly eliminated the malware causing the compromise. The protection and privacy of confidential patron information is a matter we take with extreme seriousness."
The breach occurred from Feb. 28 to May 16 and has affected about 1,400 of Splash Car Wash's nearly 400,000 patrons thus far, at six Splash Car Wash locations in Fairfield, Cos Cob, Shelton, Greenwich, Bridgeport and West Haven.
"We strongly urge all Splash patrons to check your credit card accounts to ensure there has been no additional fraudulent activity," Curtis said. "If fraudulent activity is discovered, please contact your credit card company immediately."
Splash Car Wash, founded 33 years ago, said immediately following notice of the breach it engaged a third-party forensic investigator and sought guidance from banking institutions to quickly remediate the source of the breach. Credit card systems at all 16 Splash Car Wash locations have been replaced by credit card readers verified as safe and provided by banking institutions.
"Splash Car Wash, in addition to others within our industry, is working in cooperation with the U.S. Secret Service and local law enforcement as part of a larger ongoing federal investigation," Curtis said. "Due to the sensitivity of the investigation, we do not know and are unable to provide any further information regarding the criminal act, but will maintain open communication as information becomes available."
For customers who have unlimited plans with Splash, their data was not affected by the breach, as all unlimited data is encrypted, according to the company.
"After thorough investigation and remediation of the source of the breach, we are confident in the current and ongoing safety and security of your confidential information," Curtis said. "We will continue to monitor and protect our systems, while cooperating with federal investigators to determine the criminal(s) who installed malware to gain unauthorized outside access to credit card information."
Curtis encourages concerned customers to call 1-800-927-4489.