Between October 2015 and mid-2016, a sophisticated POS malware attack — attributed to the Carbanak/Anunak criminal group — affected point-of-sale systems at 1,025 Wendy’s franchise restaurant locations across the United States. Wendy’s operates approximately 5,700 US locations, making this roughly 18% of all restaurants. Attackers initially accessed Wendy’s systems through compromised credentials of a third-party POS support vendor. Wendy’s first became aware of potential irregularities in January 2016 after being alerted by financial institutions to patterns of fraudulent card activity traced back to Wendy’s locations. The company initially disclosed the breach on 27 January 2016 and completed its investigation by July 2016. A second wave of the attack using different malware was also discovered. The malware captured payment card track data (including card numbers, expiration dates, and CVV codes) from device memory during transaction processing. Wendy’s was sued by financial institutions and faced approximately $50 million in settlement costs. Payments processor First Data and point-of-sale vendor Aloha/NCR were also named in litigation. The breach demonstrated the extreme fragility of third-party remote access for POS support — a vector attackers have exploited repeatedly in retail and food service POS breaches.