Wendy's is investigating a possible credit card breach that may have affected thousands of its North American customers. According to Krebs on Security, the Ohio-based burger chain is looking at several reports of "unusual activity" on cards used at Wendy's locations across the country. The company has hired a team of cybersecurity experts to help assess the damage and is cooperating with law enforcement in a criminal investigation.
As many as 6,000 locations may have been affected
A spokesperson for the chain, Bob Bertini, told Krebs the company first caught wind of the potential breach "earlier this month" thanks to its contacts in the payments industry. "Reports indicate that fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants. We've hired a cybersecurity firm and launched a comprehensive and active investigation that's underway to try to determine the facts," Bertini said in a statement.
Wendy's has about 6,500 locations in the U.S. and abroad, 85 percent of which are franchise-owned. Though Krebs heard reports were coming mainly from the Midwest, its sources also say Northeastern locations were also likely hit. Wendy's says it began investigating the issues "immediately," and that the breach likely happened in December 2015. The company does not yet know the scope of the breach or which specific locations were affected. Consumers who used a credit card to pay at a Wendy's location within the past three months should review their billing statements for any inaccuracies and report any fraudulent charges to their bank or credit card company.
Credit card breaches are becoming more and more common in the restaurant industry, and chains are especially susceptible, likely because of their use of outdated technology. Krebs explained to Eater in an interview, "Traditionally [POS systems] have been some of the weakest spots [in a restaurant's operations... because restaurant owners] tend to do really sloppy things like enable the same password for each system." He goes on, "Guess what? If the bad guys can remotely login into your point of sale software, well, it's kind of game over." Jimmy John's, Rainforest Cafe, Morton's, P.F. Chang's, and Dairy Queen have been victims of credit card hacks within the past two years.