(hospitalitybusinessnews.com – via Krebs on Security) When news broke last month that the credit card breach at fast food chain Wendy’s impacted fewer than 300 out of the company’s 5,800 locations, the response from many readers was, “Where’s the Breach?” Today, Wendy’s said the number of stores impacted by the breach is “significantly higher” and that the intrusion may not yet be contained.
In statement released on their website the company said
Wendy’s announced today that additional malicious cyber activity has recently been discovered in some franchise-operated restaurants. Wendy’s has disabled the malware where it has been detected.
Based on the preliminary findings of the previously-disclosed investigation, Wendy’s reported on May 11, 2016 that malware had been discovered on the point of sale (POS) system at fewer than 300 franchised North America Wendy’s restaurants. An additional 50 franchise restaurants were also suspected of experiencing, or had been found to have, other cybersecurity issues. As a result of these issues, we directed our investigator to continue to investigate.
In this continued investigation, Wendy’s has recently discovered a variant of the malware, similar in nature to the original, but different in its execution. This malware has been discovered on some franchise restaurants’ POS systems, and the number of franchise restaurants impacted by these cybersecurity attacks is now expected to be considerably higher than the 300 restaurants already implicated.
Upon detecting the new variant of malware in recent days, we have already disabled it in all franchise restaurants where it has been discovered, and we continue to work aggressively with experts and federal law enforcement to continue our investigation.