Hadley Malcolm

USA TODAY

Fast-food chain Wendy's said Thursday that customers' personal information was compromised in a series of cyber attacks that started last year.

Wendy's, which has been investigating "unusual payment-card activity" since early this year, said that cardholder names, credit or debit card numbers and expiration dates are among data targeted in an attack on a point-of-sale system at some franchise-operated restaurants. The attack, discovered in May, had been underway since November.

A separate attack, which lasted from October until it was disabled in March, compromised card numbers and other account information, but not names, said Wendy's spokesman Bob Bertini. The security breaches affected approximately 1,025 franchise-operated Wendy's locations in the U.S. Wendy's has more than 5,100 franchised restaurants in the U.S. and 582 company-operated restaurants. The company said there's no evidence that its company-owned restaurants were impacted by the attacks.

The duration of the attacks shows how far the industry needs to go in being able to detect fraud, said Stephen Gates, chief research intelligence analyst at network security firm NSFOCUS.

"We’re looking at six months that a hacker had gained access and maintained that access," Gates said. "The longer someone has access, the more damage they can cause."

But Bertini said that the attackers were careful to cover their tracks.

"It was extremely difficult to detect," Bertini said. He said the "highly sophisticated" malware used in the most recent attack was "very quickly" disabled within about a week of being detected.

Wendy's investigating unusual payment activity

Many franchisees contract with third-party service providers for point-of-sale system support, while Wendy's provides that support internally for its company-owned locations, Bertini said.

The company has been working with the payment card industry, federal law enforcement and forensics experts throughout its investigation and said it will beef up security across all of its systems.

"We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures," CEO Todd Penegor said in a statement.

Wendy's will provide a list of restaurants where payment information may have been taken on a dedicated part of its website. Affected customers can receive a year of complimentary fraud consultation and identity restoration services.