Wendy’s said Wednesday that an investigation into the recent data breach at the fast food-chain found that less than 5 percent of its restaurants were affected.
Details of the breach emerged earlier this year.
“Based on the preliminary findings of the investigation and other information, the Company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015,” Wendy’s said, in a press release announcing the company’s fiscal first quarter results.
Wendy’s brought in cybersecurity experts earlier this year to conduct an investigation into unusual credit card activity at some of its restaurants. The investigation is now nearing completion, the company said, and a final report is expected in the coming weeks.
The Dublin, Ohio-based firm has not yet disclosed the duration of the breach.
In its press release, Wendy's noted that the Aloha point of sale system installed in all company-operated restaurants and most franchise-operated restaurants was not impacted by the malicious activity.
Security expert Brian Krebs first reported the breach in January. In a blog post Wednesday Krebs said that many banks and credit unions have been “grumbling” about the extent and duration of the breach. Citing unnamed sources at financial institutions, Krebs reports that some breached Wendy’s locations were "still leaking" customer card data at the end of March 2016 and into early April.
Tod Beardsley, security research manager at cybersecurity specialist Rapid 7, believes the breach illustrates a number of recurring themes with point-of-sale system-based financial crime. “The length of time the compromise went undetected, then unmitigated, is troubling news for any retailer that depends on a third-party POS vendor for security.”
The fact that the breach affected only 5 percent of Wendy's locations was likely a contributing factor to its success, according to Beardsley. “A small footprint is much more difficult to detect, since the patterns resulting from the fraud take longer to materialize,” he said.
Follow James Rogers on Twitter @jamesjrogers