The Wendy’s Co. reported that additional malicious cyber activity recently has been discovered in some franchise-operated restaurants. The company has disabled the malware where it has been detected.
Wendy’s is in the midst of a continuing investigation into unusual credit card activity at some of its restaurants. Reports indicate that payment cards used legitimately at Wendy’s may have been used fraudulently elsewhere.
Based on the preliminary findings of the previously disclosed investigation, the company reported May 11 that malware had been discovered on the point-of-sale (POS) system at fewer than 300 franchised North America Wendy’s restaurants. An additional 50 franchise restaurants also were suspected of experiencing, or had been found to have, other cyber security issues.
Wendy’s recently discovered a variant of the malware, similar in nature to the original but different in its execution. The attackers used a remote access tool to target a POS system that, as of the May 11 announcement, the company believed had not been affected. This malware has been discovered on some franchise restaurants’ POS systems, and the number of franchise restaurants impacted by these cyber security attacks is now expected to be considerably higher than the 300 already implicated. To date, there has been no indication in the ongoing investigation that any company-operated restaurants were impacted by this activity.
According to Wendy’s, many franchisees and operators throughout the retail and restaurant industries contract with third-party service providers to maintain and support their POS systems.
The company believes this series of cyber security attacks resulted from certain service providers’ remote access credentials being compromised, allowing access to the POS system in certain franchise restaurants serviced by those providers.
Wendy’s said the malware used by attackers is highly sophisticated in nature and extremely difficult to detect. Upon detecting the new variant of malware in recent days, the company has already disabled it in all franchise restaurants where it has been discovered.