RMH Franchise Holdings says malware has been found on the point-of-sale systems of 167 Applebee’s locations, which could expose an undisclosed number of diners to potential fraud.

States with Applebee’s locations that were impacted by the security intrusion are Alabama, Arizona, Florida, Illinois, Indiana, Kansas, Kentucky, Missouri, Mississippi, Nebraska, Ohio, Oklahoma, Pennsylvania, Texas, and Wyoming.

“Based on the experts’ investigation, RMH believes that unauthorized software placed on the point-of-sale system at certain RMH-owned and -operated Applebee’s restaurants was designed to capture payment card information and may have affected a limited number of purchases made at those locations,” the company said.

Among the information the company believes was taken were guest names, credit or debit card numbers, expiration dates, and card verification codes. RMH says it discovered the security breach on Feb. 13. It did not notify customers until last week—and did not offer to pay for any credit protection services for affected customers.

Last month, Applebee’s announced it would close as many as 80 locations this year—on top of the 100-plus it shuttered in 2017. Same-restaurant sales in 2017 were down more than 5% at the casual dining chain.