Fast food chain Wendy’s on Thursday revealed that 1,025 of its 5,144 franchise locations in the US were targeted by what the company describes as a sophisticated, criminal cyberattack that resulted in customers’ payment card information being compromised.

If you recall, Wendy’s first launched an investigation into the matter in January after learning about fraudulent charges on some customers’ credit and debit cards. At the time, the burger chain said the attack impacted less than 300 of its franchise locations.

Last month, Wendy’s said it learned of and disabled additional malware, a discovery that would significantly increase the number of affected locations.

In a statement published earlier today, Wendy’s said it believes the cyberattack resulted from a service provider’s remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees’ POS systems. Once discovered, the company identified a method of disabling it and has done so in all locations.

The malware targeted customers’ credit and debit card numbers, cardholder names, expiration dates, cardholder verification values and service codes.

Wendy’s hasn’t yet revealed how many customers might have been impacted by the security breach. Customers are urged to review a list of affected locations on its website to help determine if their information may have been compromised. Wendy’s is also offering a complementary year of fraud consultation and identity restoration service to affected customers.

Image courtesy Reuters