The Wendy’s Co. said Thursday that it recently discovered malicious malware in more restaurants, bringing the infected locations to a number considerably more than 300 units.
The Dublin, Ohio-based operator said it has disabled the malware where it has been detected.
In January, Wendy’s said it was investigating unusual credit card activity at some franchised restaurants, and that payment cards used at Wendy’s locations might have been used fraudulently elsewhere.
In May, the company reported that the cyber attack had hit fewer than 300 franchised North American Wendy’s locations. An additional 50 units were suspected to have different security issues.
As part of the investigation, Wendy’s said it recently discovered a variant of malware that was used in the previous attacks. The malware is similar to the original, “but different in its execution,” the company said.
Wendy’s now says that the number of restaurants hit by these cyber security attacks “is now expected to be considerably higher than the 300 restaurants already implicated.” The attack appears to be limited to franchised locations.
According to Wendy’s, the attackers used a remote access tool to target a point-of-sale system that, as of the previous announcement, the company didn’t think had been infected.
The company is blaming third-party service providers that maintain and support point-of-sale systems that many franchisees and other operators use.
Wendy’s believes that some of these third-party providers’ remote access credentials have been compromised, giving criminals access to the franchise restaurants’ POS systems they serve.
“The malware used by attackers is highly sophisticated in nature and extremely difficult to detect,” Wendy’s said, noting that it disabled the malware in all franchised restaurants where it has been discovered.
Wendy’s customers can call a toll-free number, (888) 846-9467, or email [email protected] with specific questions.