Wendy's Confirms POS Security Breach, Investigation Continues
At the end of January, the first reports publicly emerged about a possible point-of-sale (POS) data breach at an undisclosed number of locations affiliated with the Wendy's Company and its chain of quick-serve restaurants. On May 11, as part of Wendy's fiscal 2016 first-quarter financial report, the company officially confirmed that some of its locations were, in fact, the victim of a POS data breach.
While Wendy's has not yet fully completed its investigation into the breach, it does have some preliminary data on what happened. According to Wendy's disclosure, the breach likely first started in the fall of 2015 and involved the installation of malware by way of compromised third-party vendor credentials. Of note, though, is the fact that the malware was only found in Wendy's franchisee-owned stores and not in corporate-owned Wendy's locations.
Wendy's has found that the malware affected "fewer than 300" franchised locations out of a total of approximately 5,500 locations.
The corporate-owned Wendy's stores used the Aloha point-of-sale system, which was not affected by the malware. Additionally, Wendy's stated that the majority of its franchised restaurants use the same POS system, and a plan for full implementation of the Aloha system throughout North American restaurants is set to be completed by the end of 2016.
Five months after reports of a possible data breach, Wendy's issued an official confirmation. Some of its restaurants have other cyber-security issues.
"The company has worked aggressively with its investigator to identify the source of the malware and quantify the extent of the malicious cyber-attacks, and has disabled and eradicated the malware in affected restaurants," Wendy's stated. "The Company continues to work through a defined process with the payment card brands, its investigator and federal law enforcement authorities to complete the investigation."