Wendy's customers asked for weeks: Where's the breach?
And for weeks it remained a mystery.
In early January, many customers who frequented the burger joint's locations in Florida, Nevada, California and Illinois began to complain on social media about unauthorized transactions on their credit cards. Kristin Faltin, a student at Northern Illinois University, suspected her credit card information was stolen in early January after a trip to a Wendy's in DeKalb, Illinois.
"It was through a drive-thru, so I'm not sure if it was run through a card reader," Faltin told CNBC.com. "I had insufficient funds or not enough credit so they weren't able to get much from my account."
News of the Wendy's hack didn't surface until security blogger Brian Krebs reported it in late January. When Wendy's reported earnings in February, it acknowledged "unusual credit card activity" stemmed from malware on certain Wendy's restaurants systems. What it didn't say is whether those restaurants were owned by the companies or by franchisees.
Therein lies the rub.
The big difference between Wendy's malware incident and other prominent hacks, like the one Target suffered during the holiday shopping season in 2013, lies in where responsibility for the breach is assigned.
In late 2015, the credit card industry imposed rules on itself requiring all retailers to upgrade to new card readers that accept EMV (Europay, MasterCard, Visa) chips, meant to enhance security. The readers require users to insert, not swipe, their cards.