Dublin, Ohio-based, fast food chain Wendy's confirmed thathackers breachedcustomer payment card data at 1,025 of its restaurantsnationwide, a number considerably higher than originallybelieved.

Wendy's said it worked with forensic experts, federal lawenforcement and card industry contacts and found that specific cardinformation (cardholder name, card number, expiration date,cardholder verification value and service code) was targeted bymalware. The investigation found that the malware first hit some franchisee systems as early as fall2015.

“We are committed to protecting our customers and keeping theminformed. We sincerely apologize to anyone who has beeninconvenienced as a result of these highly sophisticated, criminalcyberattacks involving some Wendy's restaurants,” Todd Penegor,Wendy's president/CEO said. “We have conducted a rigorousinvestigation to understand what has occurred and apply thoselearnings to further strengthen our data security measures.”

The company also released a list of locations affected by thebreach, searchable by city and state but did not specify how manycustomers took a hit.

Cybersecurity expert Brian Krebs first reported the breach inJanuary. In mid-May, the company announced in its first quarterfinancial statement that the fraud only affected 5% of stores,fewer than 300 locations.

However, a number of sources in the fraud and banking communitytold Krebs there was no way the Wendy's breach only affected 5% ofstores, given the volume of fraud the financial institutions tracedback to Wendy's customers.

In June, the Michigan Credit Union League, its members and CUNAadvocated for stronger merchants and card network accountabilityafter the Wendy's restaurants breach forced several credit unionsto cover associated costs. CUNA also announced it was also joininga data breach lawsuit against the restaurant chain.

According to CUNA, industry sources estimated the fraudulentcharges have been even larger than in other recent data breachessuch as those at Target and Home Depot, which combined cost creditunions more than $90 million.

Vicki McIntosh, president/CEO of the $21.5 million, Richmond,Mich.-based BelleRiver Community Credit Union, said her cooperative paid $8,000in fraudulent charges. In addition, the credit union paid $1,000 inout-of-pocket costs to issue new cards because of the breach.

McIntosh, Michigan credit union leaders and the Michigan CreditUnion League CEO Dave Adams called on lawmakers to requireretailers to be held to the same federal data breach standardscredit unions are subject to, and to enforce the laws currently inplace.

“The current system is broken, retailers big and smallexperience a breach and months go by without any notice to creditunions of which cards are compromised, which results in a spike infraud losses, and once again local credit unions are left holdingthe bag,” Adams said. “Again, we call on lawmakers and regulatorsto use their full authority to ensure both retailers and cardnetwork companies are doing their part to protect customer'sinformation instead of leaving credit unions to continuallyshoulder the burden.”

Ondrej Krehel, founder/CEO of the New York City-basedLIFARS, a digital forensics and cybersecurity intelligencefirm, noted, “Malware distribution is becoming a commodity, andorganized crime rings are moving latterly from target to target. Noone is immune, and many times the same crime group penetratesmultiple networks of various enterprises.”

NAFCU President/CEO Dan Berger issued the following statement inlight of Wendy's announcement:

“It is an outrage that retailers continue to compromise thesafety of consumers' sensitive financial information and oureconomy,” Berger said. “Congress must act to implement nationaldata security standards for retailers. Without these standards,essentially every time consumers use their credit or debit cardthey are gambling to see when their data will be breached, notif.”

NAFCU said it was first financial trade organization to call fornational data security standards for retailers, and emphasized itcontinues to push for legislative action on Capitol Hill.

NAFCU added it believes the bipartisan legislation S. 961, alsoknown as the Data Security Act of 2015, which is currently beforeCongress, would set a national data security standard for retailersakin to the Gramm-Leach-Bliley Act and would hold retailersaccountable for breaches occurring on their end while acknowledgingfinancial institutions' existing adherence to GLBA standards.

The Wendy's chain includes about 6,500 franchise and companyoperated restaurants in the United States, 28 other countries andU.S. territories worldwide. Most of the U.S.-operated stores arefranchises.