Data security issues at Wendy’s have now been super-sized.
Following whispers of a data breach in January, Wendy’s finally confirmed payment security issues in May, when spokesmen admitted fewer than 300 stores had been affected by malware. Now, the company admits the real number of compromised restaurants is over 1,000.
Thieves installed malware on POS card terminals to capture card numbers, cardholder names, verifications values, expiration dates, service codes and other critical data. Wendy’s stated that CVV codes were not at risk. The malware has been called “highly sophisticated in nature and extremely difficult to detect.”
The initial claim of fewer than 300 affected stores was cast into doubt by reports from card issuers that fraudulent charge volume indicated a far larger distribution throughout the chain’s 5,800 U.S. locations. Wendy’s states that the attack came in two separate waves, making it difficult to determine the total size of the data breach when it was first detected. Investigators first determined the scope as only 300 locations, only to be hit by a second, mutated strain of the malware soon thereafter.
The attack appears to have been the result of compromised security credentials used for remote access by third-party POS service companies. These companies are often hired by franchisees to manage POS systems in their restaurants, and most access them remotely. Of the 5,800 Wendy’s restaurants in the U.S., only about 630 are owned and operated by Wendy’s itself, with the remainder in the hands of local franchise owners. None of the company-owned stores have been implicated in the data breach.
In response to their discovery of the larger scale of the breach, Wendy’s has compiled a searchable database of affected locations. This database is accessible to customers on the company website.
The affected locations had not yet moved to the use of EMV chip cards. Gavin Waugh, vice president and treasurer at The Wendy’s Company, believes that the attack might not have been prevented by use of EMV. Wendy’s declined to provide a timetable for the completion of the rollout of EMV to their network of restaurants.
Gartner Group analyst Avivah Litan states that although many locations have received and installed EMV-capable terminals, not all have activated them. She acknowledged that there is a backlog of requests at the companies who certify EMV readiness for merchants ready to move to the new standard.