Popular US food-chain Wendy’s has fallen victim to cyber crime targeting their customers’ payment card information, the company reported yesterday. Credit card information has been stolen from at least 1,025 of its restaurants.
Unusual payment card activity had been detected in February 2016 when franchise locations were targeted, followed by additional malware in June. The company announced in May that around 300 restaurants out of 5,500 had been compromised. All attacks were on restaurants in the US, a list of which is available on Wendy’s website.
“We are committed to protecting our customers and keeping them informed. We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyberattacks involving some Wendy’s restaurants,” said Todd Penegor, president and chief executive officer. “We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures.”
An investigation by forensic experts, law enforcement and the card industry indicates the hackers were interested in collecting payment card information such as name, credit or debit card number, expiration date, cardholder verification value and service code.
“We believe that both criminal cyberattacks resulted from service providers’ remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees’ point-of-sale systems,” Penegor said.
The company believes the malware was installed on their point-of-sale systems in the fall of 2015. Although the malware has now been disabled, Wendy’s customers are advised to closely monitor their bank accounts and report any suspicious transactions.