Between approximately fall 2015 and spring 2016, POS malware was deployed at Wendy’s franchise restaurant locations in the United States. Wendy’s first disclosed the breach in May 2016 affecting approximately 300 franchise locations, then expanded the disclosure in July 2016 to 1,025 locations after discovering a second distinct malware strain. The breach was initiated via compromised remote-access credentials of a third-party service provider with access to Wendy’s franchisee POS systems — a supply chain attack vector similar to the Target 2013 breach. Two separate malware strains were identified: the first affecting ~300 locations, and a second affecting additional corporate-owned locations. Exposed data included cardholder names, card numbers, expiration dates, service codes, and CVV data from magnetic stripe reads. The breach prompted class-action lawsuits and an investigation. Wendy’s franchise locations and corporate-owned locations used different POS systems, which contributed to the scope differences in the two disclosure waves.