COLUMBUS, Ohio–Wendy’s has acknowledged that the data breach originally reported in January of this year is much larger than it had first stated.
The fast food chain had said that fewer than 300 of its 5,800 locations were affected by the breach. But Krebs on Security, which was first to report the issue, said its investigation has found that the breach was far larger than the 5% of its stores the company said were involved. Now Wendy’s has told Krebs on Security that the breach is expected to be “considerably higher than the 300 restaurants already implicated.”
A Wendy’s spokesperson told Krebs on Security that the company believes the breach occurred in two waves, with malware installed on POS devices having been discovered first. The company said it then discovered a different strain of the malware at some locations that targets a different point of sale system than the original one. All of the affected stores were franchises, not company run.
Wendy’s said the attackers got access by stealing credentials that allowed remote access to point-of-sale terminals.
"This revelation underscores the need for action on a strong national data-security standard for retailers," said NAFCU CEO Dan Berger in a statement. “The current system leaves consumers' data unprotected and puts credit unions and other financial institutions on the hook for the cost of retailers' negligence."
Krebs on Security reported that it’s debatable whether EMV cards and chip-based readers at the restaurants would have stifled the crime.
Earlier this year, First Choice FCU in New Castle, Penn., filed suit in federal court in Pennsylvania, alleging that the data breach lasted for almost five months, from late October to early March. It is seeking to recover costs related to the breach and also demanding Wendy's improve its encryption software, implement chip-card payment technology, and make other technology upgrades across its 6,000 restaurants.