The Wendy's franchise in Brainerd was one of about 1,000 locations affected by malicious cyber activity targeting customers' payment card information.
In a news release Thursday, the Wendy's Company announced the specific locations affected by the data breach, which was first reported in February. Those who used payment cards between Jan. 13 and June 8 in Brainerd could be impacted by the breach, according to a database offered by the company. Several other franchises in Minnesota cities are also affected, although none of those locations are in the Brainerd lakes area.
The company first reported unusual payment card activity affecting some franchise-owned restaurants in February. Subsequently, on June 9, the company reported that an additional malware variant had been identified and disabled.
Working with third-party forensic experts, federal law enforcement and payment card industry contacts as part of its ongoing investigation, the company determined that specific payment card information was targeted by the additional malware variant. This information included cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code.
"We are committed to protecting our customers and keeping them informed. We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyberattacks involving some Wendy's restaurants," said Todd Penegor, president and chief executive officer, in the release. "We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures."
The company stated the criminal cyberattacks resulted from service providers' remote access credentials being compromised, allowing access-and the ability to deploy malware-to some franchisees' point-of-sale systems. To date, there has been no indication in the ongoing investigation that any company-operated restaurants were impacted by this activity.
Christopher Tangen, chief technology officer at Mid-Minnesota Federal Credit Union, said the first thing those who've noticed suspicious transactions should do is contact their financial institution. Tangen said institutions are typically notified of specific accounts at risk in a situation like this and are able to flag those accounts.
"Make sure you monitor your accounts regularly using online banking to be watching for any suspicious activity," Tangen said. "If you do actually encounter any suspicious activity you want to report that immediately."
Tangen said people should not panic and that financial institutions are equipped to deal with data breach situations.
"We've had some big breaches with Target and Home Depot," Tangen said. "It's not like this hasn't happened. Yes, it's right in our backyard, which maybe feels scarier. But Target is right in our backyard, and so is Home Depot."
In the case of identity theft, Tangen said to contact the appropriate authorities, such as the sheriff's office or state's attorney general, as well as credit bureaus.
Tangen said consumers can help by remaining vigilant in monitoring their accounts. He noted many online banking apps now allow customers to receive text alerts for certain types of transactions up to every single transaction that occurs in an account. He also recommended consumers inform their financial institutions if they have out-of-town travel planned.
"I always recommend to people before you travel, call and let people know where you're going, the duration you plan to be there," Tangen said. "Unfortunately, fraud is in the world and it's here to stay and I don't think it's going to go away any time soon."
According to its news release, Wendy's is offering customers a complimentary year of fraud consultation and identity restoration services. For more information, call 866-779-0485 between 8 a.m. and 5:30 p.m., Monday through Friday.