The Wendy’s Co. on Thursday acknowledged that an October 2015 attack on point-of-sale systems at franchisee-owned locations is far more widespread than initially reported, affecting 1,025 locations overall.
The Dublin, Ohio-based burger chain said that malware installed on terminals in several states targeted customers’ payment card data, including their name, debit or credit card number, expiration date, cardholder verification value and service code.
The list of affected restaurants, to be posted on the company’s site, was not yet available.
“We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyberattacks,” Wendy’s CEO Todd Penegor wrote in a letter to customers.
“We have conducted a rigorous investigation to understand what has happened and we are committed to protecting our customers and keeping you informed.”
The 1,000 restaurants represents less than one in five domestic Wendy’s locations — there are 5,144 franchise-operated domestic units, plus another 582 company-owned locations.
Wendy’s described the security breach as a pair of attacks. The first, according to the company, started at some franchisee locations in late fall, was first reported in January and affected less than 300 locations.
But in June the company said that, during its investigation, it discovered a second malware attack, similar to the first, which affected many more than 300 locations. The 1,000 number is the first quantification of the restaurants affected by the dual attacks.
Wendy’s is offering one year of fraud consultation and identity restoration services to customers who used a payment card at a potentially affected restaurant during the time it might have been affected.
“In a world where malicious cyberattacks have unfortunately become all too common for merchants, we are doing what is necessary to protect our customers,” Penegor wrote. “We will continue to work diligently with our investigative team to apply what we have learned from these incidents and further strengthen our data security measures.”
Wendy’s believes that criminals gained access to point of sale terminals by gaining remote access to the system by using compromised credentials from third party service providers.
That gave the criminals’ access to the central system, enabling them to place malware onto the terminals that read the credit card information.
The company says the attack has only affected franchisee outlets and not the 582 company locations. That’s important because Wendy’s is shifting to a single point-of-sale system, called Aloha, that’s installed at company-owned units.
Wendy’s said it worked with investigators to disable the malware.
Correction: July 8, 2016 This story has been edited to clarify wording on when the attack on Wendy's POS system occurred: The attack did not occur a year ago. A Wendy's spokesman said the earliest evidence of malware present was in October 2015, and this attack was discovered in January 2016.