US Wendy's hack was bigger than thought and exposed credit card data

The company has published a list of the affected restaurants

A data breach that hit Wendy's fast food restaurants was more than three times bigger than originally disclosed and exposed customer credit card data.

The company said Thursday that malware installed in point-of-sale systems was discovered at over 1,000 of its franchised U.S. restaurants -- a big jump from the "fewer than 300 stores" it said in May had been affected.

Hackers gained access to the machines using remote access credentials of a third-party service provider, Wendy’s said.

The breach began in fall 2015 and wasn't discovered until early this year. As part of its investigation, the company discovered a second malware variant had infected its systems.

That second malware targeted "cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code," the company said.

The restaurants affected were all franchise operations and are listed on a website. Wendy's said it's owned and operated restaurants do not appear to have been exposed to the same malware.

The company is one of the latest U.S. brands to have been hit by similar cyber attacks. In recent years, hackers pulled off data breaches against Target and Home Depot, also using login credentials from third-parties.

Hacking attacks against point-of-sale systems, especially at retailers, have become all too common, said Ziv Mador, vice president of security research at Trustwave.

Many of these attacks are conducted by stealing the login credentials used in company web interfaces designed to maintain the point-of-sale systems, he said. Once access is gained, a hacker can easily deliver malware disguised as a security patch.

Retailers tend to reuse the login credentials across their stores, so it can be easy for the hackers to expand their attack, Mador said.

Wendy's is encouraging customers to look out for unauthorized charges on their credit cards.

Join the CSO newsletter!

Error: Please check your email address.

More about Home DepotTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Kan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place