Wendy’s said that the data breach it suffered as early as last fall impacted fewer than 300 franchise restaurants in its North American segment, based on preliminary findings from an investigation into the matter.
The chain believes the breach began when malware installed via compromised vendor credentials impacted the POS systems at those units. Wendy’s said it has disabled and removed the malware from the affected restaurants.
The investigation, which is close to complete, also found “unrelated cybersecurity issues” at around 50 franchised units, Wendy’s noted.
When news of its breach first surfaced in January, the chain said it had not determined the “nature or scope” of the incident.
The QSR was sued shortly after the story broke, facing allegations that it failed to inform customers about the breach in a timely manner and lacked adequate safeguards against a hack in the first place.
The Wendy’s breach is a bit of an unusual case, as most of the hackings in the restaurant industry to date have involved full-service brands, which tend to rely more heavily on credit card transactions than quick-service operations.
Wendy’s has 5,500 franchised restaurants in North America.