The franchisor said it discovered a second malware program in the POS systems of franchised restaurants. As a result, the number of stores whose customer data was swiped “is now expected to be considerably higher” than the initial estimate of 300 units, Wendy’s said.
It noted that credit card information swiped during the hackings was already being used for fraudulent purchases.
Hackers broke into the systems by using logins swiped from the third-party vendor that services franchisees’ POS systems, Wendy’s said. All of the restaurants whose data was vulnerable were franchises; not a single company unit has been involved, the franchisor said.
Investigators have disabled the second malware program in the units where it was detected, the chain stressed.
Wendy’s said in mid-May that it detected the first type of malware after unusual credit card activity led to an investigation. Headquarters says it is working with security experts and federal law enforcement officials to investigate the situation.
A help line has been set up for customers with questions about the breaches.