US fast food restaurant chain Wendy’s has admitted that the data breach suspected of affecting a few hundred of its outlets has actually hit over 1000 nationwide.
The firm released a full list of the franchises affected by the cyber-attack, which it said resulted from “service providers’ remote access credentials being compromised,” allowing remote hackers to deploy malware on franchisee’s Point of Sale (POS) systems.
The burger chain first notified the public of the incident back in February but it wasn’t until May that it found evidence of malware being installed on POS systems.
Initially it was believed that around 300 restaurants were affected by the incident – around 5% of the 5700-odd nationwide.
However, in June the firm updated to claim the breach may be much larger than at first thought. It appears those fears have been realized.
A statement explained:
“Based on the facts known to Wendy’s at this time, the additional malware targeted the following payment card data: cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code. Please note that the cardholder verification value that may have been put at risk is not the three or four-digit value that is printed on the back or front of cards, which is sometimes used in online transactions.”
Wendy’s claimed it found a way of disabling the malware soon after detecting its presence, believing the attack was first launched in autumn 2015.
Interestingly, the firm also revealed that there appears to have been two separate malware attacks, with an additional wave of attacks revealed in a May update. It’s unclear whether investigators suspect the same group behind both.
All customers affected are entitled to a year’s worth of “identity consultation” with an expert from Kroll, and – if the worst happens – “identity restoration,” where “an experienced licensed investigator will work on your behalf to resolve related issues.”