More Than 1000 Restaurants Hit In Wendy’s Hack

The Wendy’s Co. (NASDAQ:WEN) revealed Thursday that a recent hack attack was much wider than initially believed. A year-long attack on point-of-sale systems at franchisee-owned Wendy’s is now suspected of affecting 1,025 locations overall. That is more than three times the number announced as affected in May.

Malware installed on the locations’ point of sale terminals targeted customers’ payment card data. Information stolen may have included customers’ names, debit or credit card numbers, expiration dates, cardholder verification values and service codes. Wendy’s believes that the hackers gained remote access to the terminals by using compromised credentials from third party service providers. Once inside, the hackers targeted the central system, allowing them to place malware onto the terminals.

Get alerts:

The problem started last fall, Wendy’s said in a statement. The company first disclosed the breach in February. The company worked with third-party forensic experts, federal authorities and those in the payment card industry to investigate the attack. The malware has since been disabled. The company reports that only franchisee outlets were affected.

The security breach was described as a pair of attacks. The first affected less than 300 locations. The second, discovered during an investigation of the first, was similar to the first, but affected many more locations. The 1,025 number includes the restaurants affected by both attacks. With 5,144 franchise-operated units and 582 company-owned locations in North America, the restaurants affected represent less than one in five domestic Wendy’s locations.

Wendy’s CEO Todd Penegor wrote in a letter to customers, “We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyberattacks.” Wendy’s also released a statement urging customers to “remain vigilant for incidents of fraud and identity theft by reviewing credit card account statements and monitoring your credit report for unauthorized activity.”

To help affected consumers, Wendy’s is offering one year of fraud consultation and identity restoration services. All customers who used a payment card at a potentially affected restaurant during the time it might have been affected are eligible for the services. Customers may call a toll-free number 866-779-0485, from 8 a.m. to 5:30 p.m. CST, Monday through Friday to receive additional information and to access the provided services. The company said it will post a list of all of the locations affected, but that list has not yet been made available.