KANSAS CITY, Mo. -- Customers who have eaten at Wendy's restaurant and used a debit or credit card to pay for their food are being encouraged to check their statements and read more information on a cyber breach found at some franchise-owned restaurants.
The following restaurants may have been impacted by the cyberattack using malware. (See link below for other locations outside the Kansas City area.)
- Independence 4301 S. NOLAND RD.
- Independence 2528 S 291 HWY
- Independence 20130 EAST VALLEY VIEW CIRCLE
- Blue Springs 310 NW STATE ROUTE 7
- Harrisonville 1800 N STATE ROUTE 291
- Oak Grove 301 S.W. FIRST STREET
- Clinton 1701 E OHIO AVE 1/13/2016
- Columbia 2116 BERNADETTE DR
- Kansas City 7807 PARALLEL PKWY.
- Kansas City 7740 TAUROMEE STREET
- Lawrence 523 W. 23RD ST.
- Lawrence 601 KASOLD
- Leavenworth 2900 SOUTH 4TH
- Ottawa 2310 S CEDAR ST
- Topeka 1251 SW GAGE BLVD.
- Topeka 3250 SW TOPEKA BLVD
- Topeka 1820 S.W. WANAMAKER ROAD
Wendy's Company first reported unusual payment card activity in February 2016, and believes the activity may have occurred as early as October 2015. Then, last month, on June 9, company officials reported that an additional malware variant had been identified and disabled.
All of the impacted locations are located in the United States.
Wendy's customers are encouraged to learn more about the cyber attacks at the following address: www.wendys.com/notice. The link update includes a list of restaurant locations that may have been involved in the incidents, as well as information on how customers can protect their credit and details regarding how potentially affected customers can receive one year of complimentary fraud consultation and identity restoration services. A link to the update can also be found on the Company's homepage, www.wendys.com.
"We are committed to protecting our customers and keeping them informed. We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyber attacks involving some Wendy's restaurants," said Todd Penegor, President and Chief Executive Officer. "We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures."
Wendy's said it has worked closely with third-party forensic experts, federal law enforcement and payment card industry contacts, Wendy's determined that the cyber attackers targeted key information in their malware including the cardholder's name, credit or debit card number, expiration date, cardholder verification value, and service code.
"Generally, individuals that report unauthorized charges in a timely manner to the bank or credit card company that issued their card are not responsible for those charges. As always, in line with prudent personal financial management, we encourage our customers to be diligent in watching for unauthorized charges on their payment cards," Wendy's said in a statement.
The Company believes the criminal cyber attacks resulted from service providers' remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees' point-of-sale systems. To date, there has been no indication in the ongoing investigation that any Company-operated restaurants were impacted by this activity.
The Company said the malware involved in the first attack earlier this year has been disabled with the help of investigators.
"Soon after detecting the malware variant involved in the latest attack, the Company identified a method of disabling it and thereafter disabled it in all franchisee restaurants where it was discovered. The investigation has confirmed that criminals used malware believed to have been effectively deployed on some Wendy's franchisee systems starting in late fall 2015," Wendy's said.
Click here for a statement from Todd Penegor, President and CEO, The Wendy's Company.