Wendy’s Admits Data Breach Much Worse Than Previously Reported
Initially, the fast food chain discovered malware on its POS system at 5% of its franchisee-owned locations. However, they have recently uncovered a variant of the first malware.
“The attackers used a remote access tool to target a point-of-sale system that, as of the May 11th announcement, the Company believed had not been affected. This malware has been discovered on some franchise restaurants’ POS systems, and the number of franchise restaurants impacted by these cybersecurity attacks is now expected to be considerably higher than the 300 restaurants already implicated,” the restaurant said in its press release.
The release said the company has disabled the malware “on all franchise restaurants where it has been discovered” and it “continues to work aggressively with its experts and federal law enforcement to continue its investigation.”
Both security expert Brian Krebs and the National Association of Federal Credit Unions have accused Wendy’s of minimizing the issue, and have said the breach could be larger than the ones that affected Target (40 million customers) and Home Depot (56 million customers).
“A number of sources in the fraud and banking community have complained to (me) that there was no way the Wendy’s breach only affected 5 percent of stores–given the volume of fraud that the banks have traced back to Wendy’s customers,” Krebs wrote.
The Ohio-based restaurant chain has more than 6,000 locations in the United States and Canada, the majority of which are owned by franchisees. Wendy’s still refuses to detail which locations were affected, or exactly how many stores were breached.
“As our investigation is active and ongoing, it is a premature for us to discuss individual restaurants or specific geographic locations impacted by this cyber-attack,” said Wendy’s spokesman Bob Bertini. “This situation does involve a considerable number of Wendy’s franchise restaurants in the U.S. and well as restaurants in Canada.”
Credit unions filed a class-action lawsuit against Wendy’s over the breach.