Burger chain Wendy's said in its earnings report that hundreds of company's franchisees were hacked in late 2015. The revelation came after a recent class action lawsuit suggested losses stemming from the breach were greater than that suffered by retailers Target and Home Depot.
The company declined to discuss specifics on its conference call with analysts Wednesday after its earnings were released, but the burger chain is expecting to spend more in the courtroom.
"We did bolster up our legal reserves," the company's CFO, Todd Penegor, told analysts.
In the wake of the Wendy's hack that hit hundreds of franchisees, the company said its own restaurants and new point-of-sale payments system were unaffected.
"The company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy's restaurants," the company said in its quarterly filing Wednesday. "The [new] Aloha point of sale system has not been impacted."
Wendy's also reported another 50 franchise restaurants are or have suffered "unrelated cybersecurity issues," without further defining them.
The burger chain also acknowledged a late-April class action complaint filed against it in Pennsylvania federal court by First Choice Federal Credit Union and others, saying Wendy's "pervasive and inadequate approach to data security" caused unspecified damages. Lawyers representing the bank did not respond to requests for comment.
"Taking advantage of Wendy's lax data security and delayed notification to financial institutions and the public, hackers were able to gather large amounts of consumer data," the lawsuit stated. "Unknown perpetrators also specifically targeted and drained debit accounts with large amounts of money in them, concentrating the damages and causing individual financial institutions… to suffer losses much greater than what was experienced after the Home Depot or Target data breaches."
Target previously said its data breach, in 2014, cost it more than $140 million.
"The investigation, which is being led by a third-party, is drawing to a close," a Wendy's spokesman told CNBC.com after the earnings call. "We expect to receive a final report soon and anticipate being in a position to share additional detail regarding the investigation and its results in the coming weeks."
The class action suit follows a separate, similar suit from a Florida man who said he lost hundreds of dollars when his credit card data was stolen after he visited a Wendy's.
Fallout from the Wendy's hack, and from the lawsuit, could guide future hacking incidents and response strategies. In late 2015, the credit card industry established rules requiring retailers to upgrade to card readers that accept "EMV" (or, Europay, MasterCard and Visa) chips. But some of Wendy's franchisees lagged in the transition, and the continuing fallout from the hack could become more of an expense to them than the corporation.
Wendy's saw its stock fall despite beating earnings expectations, in part on falling revenue. The stock slid more than 7 percent in trading Wednesday afternoon, pushing it into negative territory for 2016.