The Mexican food chain restaurant On the Border has announced a data breach that put customers’ payment information at risk in 28 states.

On the Border officials said the breach, discovered by the company on Nov. 14, exposed customers’ personal information, including their names, credit card numbers and credit card verification codes. The breach came from malware installed on a payment-processing system used by restaurants in 28 states. The malware collected customer information from April 10 and Aug. 10 this year.

The breach involved restaurants in the following states: Arizona, Arkansas, Colorado, Connecticut, Florida, Georgia, Illinois, Indiana, Iowa, Kansas, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, New Jersey, New York, North Carolina, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas and Virginia.

Officials said they are working with law enforcement and are in the process of notifying customers who might have had information compromised in the breach.