ARLINGTON—Wendy’s said that an investigation into a credit card breach at the nationwide fast-food chain uncovered malicious software on point-of-sale systems at fewer than 300 of the company’s 5,500 franchised stores, according to KrebsOnSecurity.
A Wendy’s spokesperson told KrebsOnSecurity that the malware found on those POS systems has now been removed. However, the spokesperson declined to comment on the duration of the breach, and Krebs says multiple financial institutions report their data shows some of the affected Wendy’s locations were “leaking” card data as late as early April. Two class actions, including one by a credit union, have also been filed.
NAFCU said it has no intention to let up on its push for national data security standards following the Wendy’s announcement.
NAFCU President and CEO Dan Berger noted months ago the signs of a potential Wendy’s breach prior to initial reports. He said Wednesday’s report offers little assurance to institutions still concerned about the potential impact.
“This incident continues to illustrate the need for national data security standards such as those proposed in the ‘Data Security Act,’” Berger said. “Right now, credit unions continue to pay the tab for merchant breaches, and that’s unacceptable. The ‘Data Security Act’ would establish national standards that are both scalable and would hold merchants accountable for breaches on their end.”
The “Data Security Act” (HR 2205/S 961) was supported Tuesday in a letter from the Electronic Payments Coalition to the House leadership. NAFCU and CUNA are part of EPC, a broad-based group with representatives from the credit union industry, banks and payment networks.