US burger chain Wendy's has revealed that hundreds of the company's restaurants were hacked in late 2015, according to its first quarter earnings report released on 11 May. The company said it was able to "eradicate" malware on point-of-sales systems at about 300 outlets from approximately 5,500 franchised North America restaurants in fall 2015.
Reports of the hack first surfaced in January after cybersecurity expert Brian Krebs reported on his blog that Wendy's was looking into claims of "unusual activity" on customers' credit or debit cards in Florida, California, Nevada and Illinois shortly after intended transactions at the fast food chain
"Fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants," Wendy's spokesman Bob Bertini told Krebs. "We've hired a cybersecurity firm and launched a comprehensive and active investigation."
According to its latest earnings report, the company said that cybersecurity experts found that the malware installed affected one particular point of sale system through the use of "compromised third-party credentials". It added that its new Aloha point-of-sale system was not impacted.
"The Company has worked aggressively with its investigator to identify the source of the malware and quantify the extent of the malicious cyber-attacks, and has disabled and eradicated the malware in affected restaurants," Wendy's said in its Q1 earnings release. "The Company continues to work through a defined process with the payment card brands, its investigator and federal law enforcement authorities to complete the investigation."
Wendy's also reported that another 50 franchise restaurants are or have suffered "unrelated cybersecurity issues", which the company is working to verify and resolve.
Krebs said that sources at multiple financial institutions revealed their data showed some of the breached Wendy's locations were still leaking customer data during the end of March 2016 and early April.
The data breach sparked criticism from banks and credit unions accusing the firm of not moving fast enough to stop the hack that is believed to have started in October 2015. In April this year, Pennsylvania-based First Choice Credit Union filed a class action lawsuit against Wendy's, alleging that it did not properly safeguard customers' credit and debit card information.
"Taking advantage of Wendy's lax data security and delayed notification to financial institutions and the public, hackers were able to gather large amounts of consumer data. Unknown perpetrators also specifically targeted and drained debit accounts with large amounts of money in them, concentrating the damages and causing individual financial institutions... to suffer losses much greater than what was experienced after the Home Depot or Target data breaches," the lawsuit stated.
Late last year, the credit card industry established rules requiring retailers to make the transition to chip cards and adopt card readers based on a technology called EMV, named after its backers – Europay, MasterCard and Visa. Some of Wendy's franchisees, however, had reportedly not adopted the transition which offers more protection against fraud than magnetic stripes yet.
"The investigation, which is being led by a third-party, is drawing to a close," a Wendy's spokesman told CNBC. "We expect to receive a final report soon and anticipate being in a position to share additional detail regarding the investigation and its results in the coming weeks."