A Cheddar’s data breach may have taken place in recent months, potentially exposing the credit card numbers and personal information of more than a half million of its customers.

The restaurant chain — which is owned by Olive Garden parent company Darden Restaurants (NYSE:DRI) — said late on Wednesday that the company recently received a notification from federal authorities regarding the potential incident.

A number of its Cheddar’s Scratch Kitchen locations may have had a vulnerability that could have compromised guest data in a number of its restaurants through a data breach. Darden Restaurants said that the company’s systems and networks were not affected by the incident due to the fact that the breach took place on a legacy system of the company’s chain.

The credit card information of roughly 567,000 patrons may have been exposed by the cyberattack in at least 23 U.S. states, including Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia and Wisconsin.

Customers who visited the company’s restaurants between Nov. 3, 2017 and Jan. 2, 2018 may have been affected. Cheddar’s said that the company had disabled and replaced its legacy system by April 10 and it hired a third-party forensic cybersecurity firm to investigate the matter.

DRI stock surged 0.2% on Thursday afternoon.