DUBLIN, Ohio – Wendy’s announced this week that a comprehensive investigation into “unusual credit card activity” at its North American restaurants is nearing completion.
Wendy’s told investors that it believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular POS system at 300 of approximately 5,500 franchised North America Wendy's restaurants, starting in the fall of 2015. The company has “worked aggressively with its investigator to identify the source of the malware and quantify the extent of the malicious cyberattacks, and has disabled and eradicated the malware in affected restaurants.”
KrebsOnSecuirty.com, which first reported on Wendy’s data breach in January, says that Wendy’s findings come “as many banks and credit unions feeling card fraud pain because of the breach have been grumbling about the extent and duration of the breach.” The news source notes that some of the breached Wendy’s locations “were still leaking customer card data as late as the end of March 2016 and into early April.”
Wendy’s also says that cybersecurity issues are still occurring, reporting to investors that approximately 50 franchise restaurants are suspected of experiencing, or have been found to have, unrelated cybersecurity issues.
Meanwhile, the Consumerist reported in February that the 2015 cyberattack resulted in at least one class-action lawsuit against the fast-food chain. A customer claims that Wendy’s failed to use adequate safety measures and did not notify customers quickly of the potential data breach.
“Wendy’s could have prevented this data breach,” the complaint states, adding, “While many retailers, banks and card companies responded to recent breaches by adopting technology that helps make transactions more secure, Wendy’s has acknowledged that it did not do so.”