Wendy’s Update on Payment Card Security Incident



Customers Now Able to Access More Specific Information About Potentially Impacted Locations on Website — Company Offers Complimentary Fraud Consultation and Identity Restoration Services

Wendy's Update on Payment Card Security IncidentThe Wendy’s Company (NASDAQ: WEN) updated its customers today regarding malicious cyber activity experienced at some Wendy’s restaurants. The Company first reported unusual payment card activity affecting some franchise-owned restaurants in February 2016. Subsequently, on June 9, 2016, the Company reported that an additional malware variant had been identified and disabled. Today, the Company, on behalf of affected franchise locations, is providing information about specific restaurant locations that may have been impacted by these attacks, all of which are located in the U.S., along with support for customers who may have been affected by the malware variants.

“We are committed to protecting our customers and keeping them informed. We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyberattacks involving some Wendy’s restaurants,” said Todd Penegor, President and Chief Executive Officer. “We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures.”

Wendy’s customers are encouraged to learn more about this new information at the following address: www.wendys.com/notice.  The update includes a list of restaurant locations that may have been involved in the incidents, as well as information on how customers can protect their credit and details regarding how potentially affected customers can receive one year of complimentary fraud consultation and identity restoration services.  A link to the update can also be found on the Company’s homepage, www.wendys.com.

Working closely with third-party forensic experts, federal law enforcement and payment card industry contacts as part of its ongoing investigation, the Company has determined that specific payment card information was targeted by the additional malware variant. This information included cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code.

Generally, individuals that report unauthorized charges in a timely manner to the bank or credit card company that issued their card are not responsible for those charges.  As always, in line with prudent personal financial management, we encourage our customers to be diligent in watching for unauthorized charges on their payment cards.

The Company believes the criminal cyberattacks resulted from service providers’ remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees’ point-of-sale systems.  To date, there has been no indication in the ongoing investigation that any Company-operated restaurants were impacted by this activity.

The Company worked with investigators to disable the malware involved in the first attack earlier this year. Soon after detecting the malware variant involved in the latest attack, the Company identified a method of disabling it and thereafter disabled it in all franchisee restaurants where it was discovered. The investigation has confirmed that criminals used malware believed to have been effectively deployed on some Wendy’s franchisee systems starting in late fall 2015.

The Company has continued to update customers on the progress of its investigation, most recently on June 9. Previous updates can be found on www.wendys.com.