The Wendy’s Co. said Wednesday that a data breach revealed in January affected "fewer than 300" of the chain’s 5,500 North American franchise restaurants starting in the fall of 2015.
The company said in its first-quarter report that its investigation into “unusual credit card activity” found that malware was installed on one particular third-party point-of-sale system.
That malware was “installed through the use of compromised third-party vendor credentials.”
[CHARTBEAT:3]
The unusual activity started in the fall, but Wendy’s didn’t announce that it was investigating the breach until January.
“The company has worked aggressively with its investigator to identify the source of the malware and to quantify the extent of the malicious cyber-attacks, and has disabled and eradicated the malware in affected restaurants,” Wendy’s said in an earnings report. “The company continues to work through a defined process with the payment card brands, its investigator and federal law enforcement authorities to complete the investigation.”
Wendy’s is working to install a single point-of-sale system called Aloha. The breach hasn’t affected that system, in place in company locations and the majority of franchise-owned locations. It’s expected to be in place systemwide by the end of the year.
In addition to the approximately 300 locations, investigators expect another 50 franchise restaurants to have “unrelated cybersecurity issues.” The company and operators are working to resolve the issues.
Correction, May 11, 2016: A previous version of this article should have said that fewer than 300 restaurants were affected by the data breach, and that Wendy’s has 5,500 franchised restaurants in North America.
Contact Jonathan Maze at [email protected]
Follow him on Twitter: @jonathanmaze