Wendy’s restaurants in North America are on alert after a pattern of suspicious credit card activity has raised fears of a security breach. The chain restaurant, which served nearly 50 million diners last spring, is encouraging recent customers to monitor their bank statements for unusual charges. But the burger chain says it still doesn’t know the nature of the possible breach or which restaurants have been targeted.
“Wendy’s is currently investigating reports of unusual activity involving payment cards at some restaurant locations,” Wendy’s spokesman Bob Bertini told The Daily Beast in a statement. “Reports indicate fraudulent charges may have occurred elsewhere after payment cards were legitimately used at some restaurants.”
Security blog Krebs on Security received word of a potential Wendy’s breach this month, when sources in the banking industry noticed a series of fraudulent charges on credit cards that recently had been used at Wendy’s restaurants. Spokespeople for the restaurant chain say the breach likely occurred in late December.
Wendy’s has hired cybersecurity experts to investigate a possible attack but says it cannot yet determine how many of its nearly 6,500 restaurants might be vulnerable
“We have been working with our payment industry contacts since recently learning of these reports, and we have launched a comprehensive investigation with the help of cybersecurity experts to gather facts, while working to protect our customers,” Bertini said. “We also are fully cooperating with law enforcement authorities. Until this investigation is completed, it is difficult to determine with certainty the nature or scope of any potential incident.”
Wendy’s would hardly be the only major retailer—or even the only major fast-food chain—to fall prey to credit card thieves. Major restaurant conglomerate Landry’s Inc., which owns more than 500 restaurants including Rainforest Cafe and Bubba Gump Shrimp Company, was hacked for customer information in December. In 2014, a hack at Chinese restaurant chain P.F. Chang’s exposed credit card information at 33 restaurants.
And unless restaurants move to upgrade their computer systems, these breaches could become increasingly common. Cybersecurity is often an afterthought at restaurants, which usually run their point of service software on outdated systems without bothering to create secure passwords or update security software. These vulnerable systems frequently store customer information like credit card numbers.
“Sixty-three percent of businesses store unencrypted credit cards on their business networks,” security expert Gary Glover writes. “An amateur with a grade school computer education can often hack a poorly defended business network in minutes after downloading free hacking templates on the Web.”