Wendy's recently announced that hackers were able to steal customers' credit and debit card information at 1,025 of its U.S. restaurants, far more than it originally thought.
Wendy's first reported unusual payment card activity affecting some franchise-owned restaurants in February 2016. On Saturday, the company reported that an additional malware variant had been identified and disabled.
The hamburger chain said hackers have had access to card numbers, names, expiration dates, and codes on the card, since late fall.
"We are committed to protecting our customers and keeping them informed. We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyberattacks involving some Wendy's restaurants," said Todd Penegor, president and chief executive officer, in a statement.
The Dublin, Ohio, company first announced it was investigating a possible hack in January. In May, it said malware was found in fewer than 300 restaurants. About a month later, it said two types of malware were found and the number of restaurants affected was "considerably higher."
There are more than 5,700 Wendy's restaurants in the U.S.
The fast-food chain encouraged customers to watch for unauthorized charges on their cards. Generally, if you report unauthorized charges in a timely manner to the bank or credit card company that issued your card, you are not responsible for those charges.
In a corporate statement, Wendy's said the criminal cyberattacks resulted from service providers' remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees' point-of-sale systems.
According to the company, the malware was first deployed in late fall 2015 and it was disabled by early spring 2016.
Customers can see which locations were affected through the Wendy's website. The company said it is offering free one-year credit monitoring to people who paid with a card at any of those restaurants.
Mr. Penegor said, "We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures."