Wendy’s Update on Payment Card Security Incident

Dublin OH, July 9 2016 (hospitalitybusinessnews.com) Hospitalitybusinessnews.com recently reported that the Wendy’s credit card breach appeared to be worse than initially thought ( click here ) .

In June Wendy’s stated “In this continued investigation, Wendy’s has recently discovered a variant of the malware, similar in nature to the original, but different in its execution. This malware has been discovered on some franchise restaurants’ POS systems, and the number of franchise restaurants impacted by these cybersecurity attacks is now expected to be considerably higher than the 300 restaurants already implicated.

On July 7, 2016 the company added the following statement to their web site.

The Wendy’s Company updated its customers today regarding malicious cyber activity experienced at some Wendy’s restaurants. The Company first reported unusual payment card activity affecting some franchise-owned restaurants in February 2016. Subsequently, on June 9, 2016, the Company reported that an additional malware variant had been identified and disabled. Today, the Company, on behalf of affected franchise locations, is providing information about specific restaurant locations that may have been impacted by these attacks, all of which are located in the U.S., along with support for customers who may have been affected by the malware variants.

“We are committed to protecting our customers and keeping them informed. We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyberattacks involving some Wendy’s restaurants,” said Todd Penegor, President and Chief Executive Officer. “We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures.”

Working closely with third-party forensic experts, federal law enforcement and payment card industry contacts as part of its ongoing investigation, the Company has determined that specific payment card information was targeted by the additional malware variant. This information included cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code.

Generally, individuals that report unauthorized charges in a timely manner to the bank or credit card company that issued their card are not responsible for those charges.  As always, in line with prudent personal financial management, we encourage our customers to be diligent in watching for unauthorized charges on their payment cards.

The Company believes the criminal cyberattacks resulted from service providers’ remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees’ point-of-sale systems.  To date, there has been no indication in the ongoing investigation that any Company-operated restaurants were impacted by this activity.

The Company worked with investigators to disable the malware involved in the first attack earlier this year. Soon after detecting the malware variant involved in the latest attack, the Company identified a method of disabling it and thereafter disabled it in all franchisee restaurants where it was discovered. The investigation has confirmed that criminals used malware believed to have been effectively deployed on some Wendy’s franchisee systems starting in late fall 2015.

 

Share Button
About the Author