The fast-food chain Wendy’s yesterday confirmed that 1,025 locations — nearly 20 percent of U.S. stores — were part of a major data breach that ran for up to several months in which cyber criminals infected card terminals with malware to steal debit and credit card data. While the impact of the breach on financial institutions is as yet unknown, one financial trade group has said the fraud volumes tied to the Wendy’s breach are greater than those from the widely publicized Target and Home Depot breaches.
Wendy’s said it believes the malware was introduced in the fall of 2015 to restaurants’ systems via the remote access credentials of Wendy’s service providers. The company said the malware used to steal card data at the restaurants had been disabled by early June. However, the breach — which was publicly disclosed by cybersecurity reporter Brian Krebs in January — was noticed months earlier by issuers and payments industry professionals noting suspicious activity on cards used at Wendy’s locations.