Fast-food Chain Wendy's Admits POS Security Breach

North American fast-food chain chain Wendy’s confirmed that a recent data breach has hit around 300 of the burger chain’s 5,500 franchised stores, or about five per cent of all its restaurants in North America.

Wendy’s issued the confirmation, five months after reports of a possible data breach. In January, reports about a possible point-of-sale (POS) data breach at an undisclosed number of locations affiliated with the Wendy's and its chain of quick-serve restaurants. On May 11, in its fiscal 2016 first-quarter financial report, the company officially confirmed that some of its locations were the victim of a POS data breach.

In its press release, Wendy's noted that the Aloha point of sale system installed in all company-operated restaurants and most franchise-operated restaurants was not impacted by the malicious activity.

"The company has worked aggressively with its investigator to identify the source of the malware and quantify the extent of the malicious cyber-attacks, and has disabled and eradicated the malware in affected restaurants," Wendy's stated. "The Company continues to work through a defined process with the payment card brands, its investigator and federal law enforcement authorities to complete the investigation."

Tod Beardsley, security research manager at cybersecurity specialist Rapid 7, believes the breach illustrates a number of recurring themes with point-of-sale system-based financial crime. “The length of time the compromise went undetected, then unmitigated, is troubling news for any retailer that depends on a third-party POS vendor for security.”