Zippy’s Restaurants alerted its customers Friday of a data breach that has affected all 25 restaurant locations as well as its Napoleon’s Bakery, Kahala Sushi and Pearl City Sushi locations.

Customers’ debit and credit cards used at any of the above eateries between Nov. 23 and March 29 may have been compromised, Zippy’s warns.

The information affected by this “security incident” might include a cardholder’s name, credit card number, expiration date and security code, the company said in a news release.

A small numbers of cards used to buy drinks at Pomaikai Ballrooms also may have been affected during the same time period.

Not affected were cards used to place orders on Zippy’s website, payments for senior cards submitted at its corporate office, fundraisers, catering orders, A Catered Experience and Food Solutions International.

The restaurant chain learned March 9 of a “security incident” involving its credit and debit card processing system but took nearly 1-1/2 months to inform the public.

Zippy’s said it immediately began an investigation and hired independent computer forensic experts to help investigate.

Its experts notified the company April 4 about the details of the data breach.

The state Office of Consumer Protection said Friday it is investigating the data breach.

“This is a significant breach affecting thousands of Hawaii consumers that must be taken very seriously by both Zippy’s and its affected customers,” OCP Executive Director Stephen Levins said. “Immediately upon learning about it this afternoon, we initiated an investigation to get to the bottom of it.”

As for the timing of the announcement, Zippy’s said it is standard practice in large retail data breaches for a company to make a public announcement after it conducts its own investigation.

Zippy’s Restaurants declined to provide any further details on how or when the security breach occurred. It also did not provide any estimates of how many cards may have been affected.

“Zippy’s takes the security of its customers’ information seriously,” Paul Yokota, president of FCH Enterprises, parent company of Zippy’s, said in a written statement. “We are working closely with data security experts to implement processes and measures that will improve our system security to help prevent this from happening again.

“We sincerely apologize for any inconvenience this incident may cause.”

The company urges customers to closely monitor their credit and debit card statements and to contact their financial institution if they identify any suspicious activity.

To prevent further such incidents, Zippy’s is upgrading its system hardware, “changing the way certain software and system processes work, and further enhancing system security and monitoring.”

Data breaches are on the rise for retailers and other businesses, Business Insider reported earlier this month.

At least 14 national retailers have been hacked and had information stolen from them since January 2017, the April 6 article said. They include Kmart, Delta, Best Buy, Saks Fifth Avenue, Under Armour, Panera Bread, Forever 21, Sonic, Whole Foods, Gamestop and Arby’s.

Zippy’s customers with questions concerning this incident may call the company toll-free at 855-648-7562, Monday through Friday, 5 a.m. to 5 p.m. Hawaii time.

For information from the Federal Trade Commission regarding identity theft, go to www.identitytheft.gov.