COLUMBUS, Ohio–The number of Wendy’s restaurants impacted by its malware attack has now topped 1,000, more than three times the previous estimate, the fast food chain is reporting.
Wendy’s said the malware targeted point-of-sales systems and cardholder names, numbers and verification codes, stealing card information at 1,025 locations.
Just last month Wendy’s acknowledged the attack was significantly higher than the original estimate of 300 restaurants affected. Wendy’s also stated that the attack might not yet be contained.
“It is an outrage that retailers continue to compromise the safety of consumers’ sensitive financial information and our economy,” said NAFCU President and CEO Dan Berger. “Congress must act to implement national data security standards for retailers. Without these standards, essentially every time consumers use their credit or debit card they are gambling to see when their data will be breached, not if.”
KrebsOnSecurity previously reported that multiple financial institutions believed Wendy’s locations were still “leaking” card data as late as early April. The breach is believed to have begun in late 2015. Several class actions, including two by credit unions, have also been filed. Wendy’s has also offered free fraud consultation and identity restoration services to those affected.
In March, Berger told Krebs that some credit unions suspected the breach could be even worse than those at Target and Home Depot.
NAFCU said it continues to push for a strong national data security standard for retailers through the “Data Security Act” (HR 2205/S. 961), which would hold retailers to the same standards credit unions already follow under the Gramm-Leach-Bliley Act and institute consumer notification requirements.