Customers who have eaten at Wendy's restaurant and used a debit or credit card to pay for their food are being encouraged to check their statements and read more information on a cyber breach found at some franchise-owned restaurants.
Wendy's has identified 13 restaurants in 12 Utah cities that were affected by the hack:
- Heber City
- Spanish Fork
Wendy's Company first reported unusual payment card activity in February 2016, and believes the activity may have occurred as early as October 2015. Then, on June 9, 2016, company officials reported that an additional malware variant had been identified and disabled.
All of the impacted locations are located in the United States.
Wendy's customers are encouraged to learn more about the cyber attacks at the following address: www.wendys.com/notice. The link update includes a list of restaurant locations that may have been involved in the incidents, as well as information on how customers can protect their credit and details regarding how potentially affected customers can receive one year of complimentary fraud consultation and identity restoration services. A link to the update can also be found on the Company's homepage, www.wendys.com.
"We are committed to protecting our customers and keeping them informed. We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyber attacks involving some Wendy's restaurants," said Todd Penegor, President and Chief Executive Officer. "We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures."
Wendy's said it has worked closely with third-party forensic experts, federal law enforcement and payment card industry contacts, Wendy's determined that the cyber attackers targeted key information in their malware including the cardholder's name, credit or debit card number, expiration date, cardholder verification value, and service code.
"Generally, individuals that report unauthorized charges in a timely manner to the bank or credit card company that issued their card are not responsible for those charges. As always, in line with prudent personal financial management, we encourage our customers to be diligent in watching for unauthorized charges on their payment cards," Wendy's said in a statement.
The company believes the criminal cyber attacks resulted from service providers' remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees' point-of-sale systems. To date, there has been no indication in the ongoing investigation that any company-operated restaurants were impacted by this activity.
The Wendy's Company said the malware involved in the first attack earlier this year has been disabled with the help of investigators.
"Soon after detecting the malware variant involved in the latest attack, the Company identified a method of disabling it and thereafter disabled it in all franchisee restaurants where it was discovered. The investigation has confirmed that criminals used malware believed to have been effectively deployed on some Wendy's franchisee systems starting in late fall 2015," Wendy's said.
Click here for a statement from Todd Penegor, President and CEO, The Wendy's Company.