Newsroom

Wendy's says the list of locations affected by its malware breach now tops 1,000 – more than three times its previous estimate – and it said the malware targeted point-of-sales systems and cardholder names, numbers and verification codes.

In June, the franchise admitted that a "significantly higher" number than the previous estimate of 300 restaurants had been affected, and they admitted the threat might not yet be contained. On Thursday, the franchise admitted that card information had been stolen at 1,025 of its locations.

"It is an outrage that retailers continue to compromise the safety of consumers' sensitive financial information and our economy," said NAFCU President and CEO Dan Berger. "Congress must act to implement national data security standards for retailers. Without these standards, essentially every time consumers use their credit or debit card they are gambling to see when their data will be breached, not if."

KrebsOnSecurity previously reported that multiple financial institutions believed Wendy's locations were still "leaking" card data as late as early April. The breach is believed to have begun in late 2015. Several class actions, including two by credit unions, have also been filed. Wendy's has also offered free fraud consultation and identity restoration services to those affected.

In March, Berger told Krebs that some credit unions suspected the breach could be even worse than those at Target and Home Depot.

NAFCU continues to push for a strong national data security standard for retailers through the "Data Security Act" (H.R. 2205/S. 961), which would hold retailers to the same standards credit unions already follow under the Gramm-Leach-Bliley Act and institute consumer notification requirements.

In related news, the Homeland Security Department warned about security gaps in the Symantec and Norton antivirus programs this week. The alert called the vulnerabilities "very serious" and urged users to update Symantec programs immediately to take advantage of recent patches.