The Wendy’s Company updated its customers today regarding malicious cyber activity experienced at some Wendy’s restaurants. The Company first reported unusual payment card activity affecting some franchise-owned restaurants in February 2016. Subsequently, on June 9, 2016, the Company reported that an additional malware variant had been identified and disabled. Today, the Company, on behalf of affected franchise locations, is providing information about specific restaurant locations that may have been impacted by these attacks, all of which are located in the U.S., along with support for customers who may have been affected by the malware variants.

"We are committed to protecting our customers and keeping them informed. We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyberattacks involving some Wendy's restaurants," said Todd Penegor, President and Chief Executive Officer. "We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures."

Wendy’s customers are encouraged to learn more about this new information at the following address: www.wendys.com/notice [or see notice of data breach below].  The update includes a list of restaurant locations that may have been involved in the incidents, as well as information on how customers can protect their credit and details regarding how potentially affected customers can receive one year of complimentary fraud consultation and identity restoration services.

Working closely with third-party forensic experts, federal law enforcement and payment card industry contacts as part of its ongoing investigation, the Company has determined that specific payment card information was targeted by the additional malware variant. This information included cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code.

Generally, individuals that report unauthorized charges in a timely manner to the bank or credit card company that issued their card are not responsible for those charges.  As always, in line with prudent personal financial management, we encourage our customers to be diligent in watching for unauthorized charges on their payment cards.

The Company believes the criminal cyberattacks resulted from service providers' remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees' point-of-sale systems.  To date, there has been no indication in the ongoing investigation that any Company-operated restaurants were impacted by this activity.

The Company worked with investigators to disable the malware involved in the first attack earlier this year. Soon after detecting the malware variant involved in the latest attack, the Company identified a method of disabling it and thereafter disabled it in all franchisee restaurants where it was discovered. The investigation has confirmed that criminals used malware believed to have been effectively deployed on some Wendy’s franchisee systems starting in late fall 2015.


Wendy’s Notice of Data Breach:

What Happened?

Wendy’s recently reported additional malicious cyber activity involving some franchisee-operated restaurants.  The Company believes this criminal cyberattack resulted from a service provider’s remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees’ POS systems.  Soon after detecting the malware, Wendy’s identified a method of disabling it and thereafter has disabled the malware in all franchisee restaurants where it has been discovered.  The investigation has confirmed that criminals used malware believed to have been effectively deployed on some Wendy’s franchisee systems starting in late fall 2015.

What Information Was Involved?

Based on the facts known to Wendy’s at this time, the additional malware targeted the following payment card data: cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code.  Please note that the cardholder verification value that may have been put at risk is not the three or four digit value that is printed on the back or front of cards, which is sometimes used in online transactions. 

What Are We Doing?

Wendy’s has worked aggressively with third-party forensic experts and federal law enforcement on this investigation, which is ongoing. Wendy’s has now arranged to offer fraud consultation and identity restoration services to all customers who used a payment card at a potentially affected restaurant during the time when the restaurant may have been affected. For a list of potentially affected restaurants, and relevant timeframes for each location, click here.  For instructions on how to access your complimentary year of fraud consultation and identity restoration services call a toll-free number, (866) 779-0485, 8:00 am to 5:30 pm CST, Monday through Friday (excluding major) holidays. We will continue to work diligently with our investigative team to apply what we have learned from these incidents and further strengthen our data security measures.

What Can You Do? 

We recommend that you review the list of potentially affected franchise restaurants (available here) to identify if you may have been affected by this incident, and if so, call a toll-free number, (866) 779-0485, 8:00 am to 5:30 pm CST, Monday through Friday excluding major holidays to learn more about the fraud consultation and identity restoration services available to you. Additionally, in line with prudent personal financial management, we encourage our customers to be diligent in watching for unauthorized charges on their payment cards and to quickly report suspicious activity to their bank or credit card company. The phone number to call is usually on the back of the credit or debit card. 

Where Can I Find More Information? 

Customers may call a toll-free number (866) 779-0485, 8:00 am to 5:30 pm CST, Monday through Friday (excluding major holidays) to receive additional information on the incident as well as accessing the fraud consultation and identity restoration services.

How do I Know if I was Affected? 

The Wendy’s franchisee locations that may have been involved in this incident and the dates during which they may have been affected can be found here. The potentially affected sites are organized by state. If you made a purchase using a payment card at one of the listed restaurants during the relevant timeframe, your information may have been affected.

Is there Additional Information Related to Wendy’s May 11 Investigation Update?

Wendy’s has received the final report from its investigator related to the separate malware discussed in Wendy’s May 11 update.  That malware targeted similar payment card information, including credit or debit card number, expiration date, cardholder verification value, and service code, but did not target customer names.  As noted in Wendy’s May 11 update, Wendy’s has disabled and eradicated that malware from all of those franchisee locations.  The potentially impacted sites related to that malware are located in the United States.  A list of those sites, as well as the dates during which those sites may have been affected, are included in the list of potentially impacted franchisee sites that may be found here.  Customers who used a payment card at any restaurant location on the list, including those related to the malware discussed during the May 11 update, have access to one year of complimentary fraud consultation and identity restoration services.

How do I Access the Fraud Consultation and Identity Restoration Services?

Wendy’s is offering one year of complimentary fraud consultation and identity restoration services to all customers who used a payment card at any potentially impacted franchisee locations during the affected dates for both malware variants.  A list of potentially affected restaurants, and relevant timeframes for each location, can be found here.  For instructions on how to access your complimentary year of fraud consultation and identity restoration services  call a toll-free number (866) 779-0485, 8:00 am to 5:30 pm CST, Monday through Friday excluding major holidays.

What Services am I Being Offered? 

All potentially impacted individuals will receive one year of complimentary fraud consultation and identity restoration services through Kroll. Customers will receive the following services:

  • Identity Consultation - You have access to consultation with a dedicated licensed investigator at Kroll. Support includes showing you the most effective ways to protect your identity, explaining your rights and protections under the law, assistance with fraud alerts, and interpreting how personal information is accessed and used, including investigating suspicious activity that could be tied to an identity theft event. You do not need to sign up for these services in order to access them.
  • Identity Restoration - If you become a victim of identity theft, an experienced licensed investigator will work on your behalf to resolve related issues. You will have access to a dedicated investigator who understands your issues and will do most of the work for you. Your investigator can dig deep to uncover all aspects of the identity theft, and then work to resolve it.  You do not need to sign up for these services in order to access them.

Will I Be Automatically Charged After the 1 Year of Complimentary Fraud Consultation and Identity Restoration Services?

No, you will not be automatically charged after your 1 year of complimentary services expires.  Please note that if a Kroll licensed investigator is assisting you with identity restoration services after the expiration of the 1-year term, Kroll will continue to provide you with identity restoration services for an additional 2 years.

Would Wendy’s Ever Contact Me Asking for My Personal Financial Information?

No.  Wendy’s will not ask you to provide personal financial information in an email or by telephone. You should always be suspicious of any unsolicited communications that ask for your personal financial information or refer you to a web page asking for personal financial information.

Can Someone Steal My Identity With A Stolen Credit Card Number?

Based on discussions with industry experts, compromised credit card information alone generally is not used to open new lines of credit or steal a person's identity. However, it never hurts to check your credit report.

What Should I Do if I am Concerned About Identity Theft? 

Based on discussions with industry experts, compromised payment card information alone generally is not used to open new lines of credit or steal a person's identity. However, it is always a good idea to check your credit report regularly. It is recommended that you remain vigilant for incidents of fraud and identity theft by reviewing credit card account statements and monitoring your credit report for unauthorized activity. In addition, your state may also offer guidance about how you can prevent or respond to identity theft. It is generally recommended that you promptly report instances of identity theft or suspicious activity to local law enforcement, such as your local police or sheriff’s department, your state’s attorney general or the Federal Trade Commission.'

You may also obtain additional information from the Federal Trade Commission about steps you can take to avoid identity theft (including how to place a fraud alert or a security freeze on your credit account). Contact information for the FTC is as follows:

For Residents of Maryland:  You may also obtain information about preventing and avoiding identity theft from the Maryland Office of the Attorney General, whose contact information is as follows:

  • Maryland Attorney General's OfficeConsumer Protection Division

    200 St. Paul Place 9001

    Baltimore, MD 21202

    1-888-743-0023

    www.oag.state.md.us

For Residents of North Carolina: You may also obtain information about preventing and avoiding identity theft from the North Carolina Attorney General’s Office, whose contact information is as follows:

  • North Carolina Attorney General’s OfficeConsumer Protection Division

    Mail Service Center

    Raleigh, NC 27699

    1-877-566-7226

    http://www.ncdoj.gov

For Residents of California:  You may also obtain information about preventing and avoiding identity theft from the California Attorney General’s Office, whose contact information is as follows:

  • California Attorney General’s OfficeCalifornia Department of Justice

    Attn: Office of Privacy Protection

    P.O. Box 944255

    Sacramento, CA 94244-2550

    (916) 322-3360; Toll-free in California: (800) 952-5225

For Residents of Iowa:  You may also obtain information about preventing and avoiding identity theft from the Iowa Attorney General’s Office, whose contact information is as follows:

  • Iowa Attorney General’s OfficeDirector of Consumer Protection Division

    1305 E. Walnut Street

    Des Moines, IA 50319

    (515) 281-5926

    www.iowaattorneygeneral.gov

For Residents of Oregon:  State laws advise you to report any suspected identity theft to law enforcement, as well as the Federal Trade Commission.  Contact information for the Oregon Department of Justice is as follows:

  • Consumer Hotline:(503) 378-4320

    From Portland (Toll-Free): (503) 229-5576

    From Elsewhere in Oregon (Toll-Free):  1-(877)-877-9392

For Residents of Massachusetts:  You have a right to obtain a police report relating to this incident.  If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.

How do I Obtain a Copy of My Credit Report? 

You may obtain a free credit report, whether or not you suspect any unauthorized activity on your account, online by visiting www.annualcreditreport.com, by calling toll-free at 1-877-322-8228.  You may also obtain a free credit report by mailing an Annual Credit Report Request Form (available at www.annualcreditreport.com) to:

  • Annual Credit Report Request ServiceP.O. Box 105281

    Atlanta, GA 30348

You may also obtain a copy of your credit report by contacting any one or more of the national consumer reporting agencies listed below. They can also provide you with additional information about fraud alerts and security freezes:

Do I Have to Pay for my Credit Report? 

You are entitled to a free annual credit report and may obtain that report online by visiting www.annualcreditreport.com, by calling toll-free at 1-877-322-8228.  You may also obtain a free credit report by mailing an Annual Credit Report Request Form (available at www.annualcreditreport.com) to:

  • Annual Credit Report Request ServiceP.O. Box 105281

    Atlanta, GA 30348

What is a Fraud Alert and How do I Place one on my Credit File? 

A fraud alert is a notice placed on your credit file that alerts creditors that you could be a victim of fraud.  Fraud alerts are designed to encourage creditors to take additional steps to verify your identity before creating new credit accounts in your name or taking other actions related to your credit, such as increasing credit limits or adding a card to a pre-existing credit or debit card account. 

There are three types of fraud alerts that last for varying time-periods: (1) initial fraud alerts, which last for 90 days, (2) extended fraud alerts, which last for 7 years, and (3) for military personnel, active duty alerts, which last for 1 year. To place a fraud alert on your account, contact one of the three major credit reporting agencies:

What is a Security Freeze and How do I Place One on my Credit File? 

A security freeze is intended to prevent credit, loans and services from being approved in your name without your consent; however, using a security freeze may delay your ability to obtain credit. Please note that placing a security freeze may prevent you from obtaining credit monitoring services.

To place a security freeze on your credit report, you need to send a request to a consumer reporting agency by certified mail, overnight mail, or regular stamped mail. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. The cost of placing, removing, or temporarily lifting a security freeze varies by state, but generally costs between $5 and $20 for each action at each credit reporting company.

  • Equifax Security FreezeP.O. Box 105788

    Atlanta, GA 30348

    1-800- 685-1111

    www.equifax.com

  • Experian Security FreezeP.O. Box 9554

    Allen, TX 75013

    1-888-397-3742

    www.experian.com

Additional Information for Massachusetts Residents:  If you have been a victim of identity theft, and you provide the credit reporting agency with a valid police report, it cannot charge you to place, lift, or remove a security freeze. In all other cases, a credit reporting agency may charge you up to $5.00 each to place, temporarily lift, or permanently remove a security freeze.


Also published on Medium.