May 16

Wendy’s: Breach Affected 5% of Restaurants

Wendy’s said today that an investigation into a credit card breach at the nationwide fast-food chain uncovered malicious software on point-of-sale systems at fewer than 300 of the company’s 5,500 franchised stores. The company says the investigation into the breach is continuing, but that the malware has been removed from all affected locations.

wendysky“Based on the preliminary findings of the investigation and other information, the Company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015,” Wendy’s disclosed in their first quarter financial statement today. The statement continues:

“These findings also indicate that the Aloha point of sale system has not been impacted by this activity. The Aloha system is already installed at all Company-operated restaurants and in a majority of franchise-operated restaurants, with implementation throughout the North America system targeted by year-end 2016. The Company expects that it will receive a final report from its investigator in the near future.”

“The Company has worked aggressively with its investigator to identify the source of the malware and quantify the extent of the malicious cyber-attacks, and has disabled and eradicated the malware in affected restaurants. The Company continues to work through a defined process with the payment card brands, its investigator and federal law enforcement authorities to complete the investigation.”

“Based upon the investigation to date, approximately 50 franchise restaurants are suspected of experiencing, or have been found to have, unrelated cybersecurity issues. The Company and affected franchisees are working to verify and resolve these issues.”

The findings come as many banks and credit unions feeling card fraud pain because of the breach have been grumbling about the extent and duration of the breach. Sources at multiple financial institutions say their data indicates that some of the breached Wendy’s locations were still leaking customer card data as late as the end of March 2016 and into early April. The breach was first disclosed on this blog on January 27, 2016.

“Our ongoing investigation into unusual payment card activity at some Wendy’s restaurants is being led by a third party PFI and is proceeding as expeditiously as possible,” Wendy’s spokesman Bob Bertini said in response to questions about the duration of the breach at some stores. “As you are aware, our investigator is required to follow certain protocols in this type of comprehensive investigation and this takes time. Adding to the complexity is the fact that most Wendy’s restaurants are owned and operated by independent franchisees.”



  1. Pretty nice of them to provide such an important data point in their release, wasn’t it?

    Why not just do ALL the recon work for the bad guys and box it up in a nice package, while you’re at it?

  2. There is no way this is true. No way. Not unless the entire 300 restaurants that were compromised are in my footprint.

    • Check for other second tier burger chains and really bad pizza chains in your mix.

      • I know there is a ton of overlap with a processor breach as well. It’s nearly impossible to tease out. 5% still seems unrealistic. I’d even buy 5% of their franchise owners, because they often own multiple locations. It just seems hard to swallow.

        Like their fish sandwiches.

  3. Wendy, you’re fired!

  4. Well, I guess this is a good a time as any to quit eating junky, fast food.

  5. Looks like third party credentials are the weak link here. Probably should have invested in NE Profile!

  6. Let me guess: Windows XP based POS. No configuration control. No integrity protection at all. I bet they have no idea how long the systems have been hacked.

    For the hackers, it’s on to the next Windows XP based POS system. And to further riches.

  7. This is something we see constantly. Managing third-party access is a huge challenge in the industry and one that very few companies have figured out but clearly more companies need to realize the RISK is real. This is the exact scenario we talk about to our customers when we design holistic IAM programs and deploy our software for managing third-party identities.

  8. Can’t wait to seed which remote access product it was this time, or are we going to learn or lesson about how not to set up vpns??

  9. 300 stores Where??? I don’t eat there often but would like to know if they are in my area??

  10. Sure! Because Wendys has so much clout that a mere 5% of them forces all the smaller credit unions out of business! riiiight.

  11. I agree with Kate. The 300 must be in our area as well-Ohio. Our losses are HUGE and can pinpoint the Common Point of Purchase as Wendy’s. We have been updated by Visa CAMS the exposure period is now Aug. 31, 2015-April 1, 2016.

  12. Not sure how this works, but if anyone used a chip card at a location that was breeched, is Wendy’s now responsible for that amount? Every Wendy’s I’ve been in has always swiped my chip card.

    • Where we’ve relocated to, only one establishment accepted the chip and pin, the rest are 100% swipe only.
      The establishment? Home Depot, they upgraded after their breach.
      Pity we can’t get a POS breach equivalent to Sarbanes-Oxley passed, but since it only screws us poor saps, it’ll stay that way – zero accountability.

    • If you have a chip card and Wendy’s does not have a chip enabled terminal then they are on the hook for the transaction. If a chip card is used at a chip enabled terminal then the liability is with the FI.

  13. This sound a little too much for such big food chain and the question all about their 300 restaurants chain, I mean were they sleeping all this while? Well even if this is real, I gotta pay them in cash from now on, as I love Wendy’s, no seriously!

  14. Wow, I don’t understand most of what you all are discussing. I am not an IT gal at all. All I know was my bank card is shut down and a new one with the chip is being sent. My kids love Wendy’s and they do offer healthier options, but love their (not so healthy) burgers! It’s such a crazy world we live in…. it’s moving so fast, hard to keep up with technology and the hackers.
    Sorry that this has happened to Wendy’s but if that’s the worst thing in my world today, it’s still a beautiful place. Look for the goodness!

  15. Who is PFI? Are they a payment processor and/or POS outsource vendor? Are the 300 Wendy’s locations about 95% or more of their business? Is it possible this is a 100% PFI data breach?

    With franchise business models, a lot of these investigations need to go further to find the source. It is quite possible PFI could go under outside of public scrutiny only to re-emerge under a new name with a new set of clients. An their former clients are left “holding the baggage”.

  16. please_fix_https

    Chrome is blocking images download.

    Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
    (index):58 Mixed Content: The page at ‘https://krebsonsecurity.com/’ was loaded over HTTPS, but requested an insecure stylesheet ‘http://krebsonsecurity.com/wp-content/plugins/jspullquotes/resources/jspullquotes-core.css’. This request has been blocked; the content must be served over HTTPS.
    (index):59 Mixed Content: The page at ‘https://krebsonsecurity.com/’ was loaded over HTTPS, but requested an insecure stylesheet ‘http://krebsonsecurity.com/wp-content/plugins/jspullquotes/resources/jspullquotes-default.css’. This request has been blocked; the content must be served over HTTPS.
    (index):1 Mixed Content: The page at ‘https://krebsonsecurity.com/’ was loaded over HTTPS, but requested an insecure script ‘http://krebsonsecurity.com/wp-content/plugins/jspullquotes/resources/jspullquotes.js’. This request has been blocked; the content must be served over HTTPS.

  17. I would really like to find a list of the 300 Wendy’s locations that were breached. I don’t care about just numbers I want the actual locations which I believe would be more helpful to us customers.

  18. I feel that I am the latest victim of debit card fraud to the tune of over $600. Factors considered, I believe that Wendy’s restaurant is the cobra. What heartache this has caused!!!

  19. I don’t believe the information from Wendy’s is correct – we are located in Arkansas and have been hit extremely hard with the fraud back in April and now again in the last few days. I don’t think Wendy’s has fixed the problem at all. They should be held liable for the financial institutions losses due to their negligence.