Wendy's has 'fessed up that the malware infection in its cash registers, first thought to have impacted 300 restaurants, hit more like 1,000 outlets, and says an unnamed service provider let the attackers into its systems.

The American fast-food chain has owned up that the number of its stores in the US with bank-card snooping malware-infected tills was "considerably higher" than its original estimate.

Wendy's told journalists the total stands at 1,025 restaurants out of about 3,000.

The infection was first detected in January, when banks started noticing suspicious activity on credit cards. The original compromise happened late in 2015.

It took until May for the burger-flipper to say it thought 300 stores were infected. The software nasty was able to swipe cardholder names, credit or debit card numbers and expiration dates, we're told.

There's a pretty strong hint that there was more than one successful campaign, because since Wendy's has begun investigating, it turned up a second variant of the malware:

As part of the ongoing investigation that has been underway, Wendy's discovered a variant of the malware – similar in nature to the original but different in its execution – affecting additional franchise locations. We believe this series of cybersecurity attacks resulted from certain service providers' remote access credentials being compromised, allowing access to the POS system.

Credit where it's due: the company has taken the unusual but welcome step of providing a tool to let customers check if their credit cards have been pwned, here. ®