The Wendy’s Co. recently updated its customers regarding malicious cyber activity experienced at Wendy’s restaurants, now estimating the data breach has impacted more than 1,000 locations.
The Wendy’s system includes approximately 6,500 franchise and company-operated restaurants in the U.S. and 28 countries and U.S. territories worldwide.
The company first reported unusual payment card activity affecting franchise-owned restaurants in February. On June 9, the company reported that an additional malware case had been identified and disabled.
The July 7 company update included information on how customers can protect their credit and details regarding how potentially affected customers can receive one year of complimentary fraud consultation and identity restoration services.
Working closely with third-party forensic experts, federal law enforcement and payment card industry contacts as part of its ongoing investigation, Wendy’s determined that specific payment card information was targeted. This information included cardholder name, credit or debit card number, expiration date, cardholder verification value and service code.
Wendy’s believes the criminal cyber attacks resulted from service providers’ remote access credentials being compromised, allowing access—and the ability to deploy malware—to some franchisees’ point-of-sale systems. To date, there has been no indication in the ongoing investigation that any company-operated restaurants were impacted by this activity.
Wendy’s worked with investigators to disable the malware involved in the first attack earlier this year. Soon after detecting the malware variant involved in the latest attack, the company identified a method of disabling it and thereafter disabled it in all franchisee restaurants where it was discovered. The investigation confirmed that criminals used malware believed to have been effectively deployed on some Wendy’s franchisee systems starting in late fall 2015.
“We are committed to protecting our customers and keeping them informed. We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyber attacks involving some Wendy’s restaurants,” said Todd Penegor, president and CEO. “We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures.”
