Customers who have eaten at Wendy's restaurants and used a debit or credit card to pay for their food are being encouraged to check their statements and read more information on a cyber breach found at some franchise-owned restaurants.
The following restaurants may have been impacted by the cyber attack using malware.
14496 Warwick Blvd. between the dates of 1/13/2016 - 6/8/2016
15492 Warwick Blvd. between the dates of 1/13/2016 - 6/8/2016
12221 Jefferson Ave. between the dates of 1/13/2016 - 6/8/2016
4824 Monticello Ave. between the dates of 1/13/2016 - 6/8/2016
6666 Richmond Rd. between the dates of 1/13/2016 - 6/8/2016
1989 Richmond Rd. between the dates of 1/13/2016 - 6/8/2016
1907 Pocahontas Trail between the dates of 1/13/2016 - 6/8/2016
Richmond: 4609 Williamsburg Rd. between the dates of 1/13/2016 - 6/8/2016.
Ashland: 11550 N. Lakeridge Pkwy. between the dates of 1/13/2016 - 6/8/2016
Fredericksburg: 5801 Plank Rd. between the dates of 12/2/2015 - 6/8/2016
Gordonsville: 441 Market St. between the dates of 1/13/2016 - 6/8/2016
Wendy's Company first reported unusual payment card activity in February 2016, and believes the activity may have occurred as early as October 2015. Then, on June 9, 2016, company officials reported that an additional malware variant had been identified and disabled.
All of the impacted locations are located in the United States.
Wendy's customers are encouraged to learn more about the cyber attacks at the following address: www.wendys.com/notice. The link update includes a list of restaurant locations that may have been involved in the incidents, as well as information on how customers can protect their credit and details regarding how potentially affected customers can receive one year of complimentary fraud consultation and identity restoration services. A link to the update can also be found on the Company's homepage, www.wendys.com.
"We are committed to protecting our customers and keeping them informed. We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyber attacks involving some Wendy's restaurants," said Todd Penegor, President and Chief Executive Officer. "We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures."
Wendy's said it has worked closely with third-party forensic experts, federal law enforcement and payment card industry contacts, Wendy's determined that the cyber attackers targeted key information in their malware including the cardholder's name, credit or debit card number, expiration date, cardholder verification value, and service code.
"Generally, individuals that report unauthorized charges in a timely manner to the bank or credit card company that issued their card are not responsible for those charges. As always, in line with prudent personal financial management, we encourage our customers to be diligent in watching for unauthorized charges on their payment cards," Wendy's said in a statement.
The company believes the criminal cyber attacks resulted from service providers' remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees' point-of-sale systems. To date, there has been no indication in the ongoing investigation that any company-operated restaurants were impacted by this activity.
The Wendy's Company said the malware involved in the first attack earlier this year has been disabled with the help of investigators.
"Soon after detecting the malware variant involved in the latest attack, the Company identified a method of disabling it and thereafter disabled it in all franchisee restaurants where it was discovered. The investigation has confirmed that criminals used malware believed to have been effectively deployed on some Wendy's franchisee systems starting in late fall 2015," Wendy's said.
Click here for a statement from Todd Penegor, President and CEO, The Wendy's Company.