Wendy’s has disclosed that a cyberattack on its restaurants was more extensive than it initially reported, saying the attackers used malware to breach a second payment terminal system.
The burger chain has been investigating reports of fraudulent charges on some credit and debit cards that had been legitimately used at some of its locations.
In May, Wendy’s said malware had been discovered on a POS system at fewer than 300 of its of its roughly 5,500 franchised restaurants in North America. Now it is reporting that a second system was compromised by a “variant of the malware, similar in nature to the original, but different in its execution.”
“The attackers used a remote access tool to target a POS system that, as of the May 11th announcement, the company believed had not been affected,” Wendy’s said Thursday in a news release. “This malware has been discovered on some franchise restaurants’ POS systems, and the number of franchise restaurants impacted by these cybersecurity attacks is now expected to be considerably higher than the 300 restaurants already implicated.”
“The company believes this series of cybersecurity attacks resulted from certain service providers’ remote access credentials being compromised, allowing access to the POS system in certain franchise restaurants serviced by those providers,” Wendy’s added.
As Krebs on Security reports, malware loaded onto point-of-sale terminals can remotely capture data from each card swiped at that cash register. The hackers can then sell the data to criminals who specialize in encoding the information onto any card with a magnetic stripe.
“Wendy’s statement that the attackers got access by stealing credentials that allowed remote access to point-of-sale terminals should hardly be surprising: The vast majority of the breaches involving restaurant and hospitality chains over the past few years have been tied to hacked remote access accounts that POS service providers use to remotely manage the devices,” Krebs said.
Wendy’s described the newly-discovered malware as “highly sophisticated in nature and extremely difficult to detect.” It said the malware has already been disabled in all the restaurants where it has been discovered.