Alleged Data Breach at Wendy’s
On February 22, 2026, a threat actor claimed responsibility for leaking what is termed as the “Wendy’s International Franchise Database.” This breach allegedly exposed crucial operational details, franchisee contact information, and real-time payment integration credentials, affecting multiple food service brands.
To date, neither Wendy’s US nor Wendy’s UK has publicly acknowledged the incident. The Access Group, which owns the QikServe platform—believed to be the breached infrastructure—has also remained silent.
Details of the Alleged Data Leak
The purported leaked dataset includes detailed franchisee records, encompassing full physical addresses, geographic coordinates, and contact email addresses. Additionally, the data dump reveals operational configurations, such as business hours, ordering slot availability, and venue statuses.
Recent timestamps on promotional records, validated as of February 2026, confirm the dataset’s currency. The exposure of live payment integration credentials, including Worldpay Access configurations with Apple Pay and Google Pay merchant IDs, alongside multiple Stripe pk_live publishable keys and a Sentry DSN, is particularly concerning.
While Stripe keys are typically client-side, their combination with merchant IDs and Sentry DSN details significantly broadens the potential for exploitation, allowing adversaries to inject fraudulent data and infer backend details.
Link to Multi-Brand Platform
The leak contains records from various brands, such as Wendy’s Oxford (UK), Brackley Pub, Sbarro Colne, City Mill Bakes, and KFC Nitra. This diversity suggests a shared hospitality SaaS platform is at the breach’s core, likely QikServe, acquired by The Access Group in 2024.
QikServe is operational in over 8,000 outlets across 40 countries, handling millions of transactions annually. A threat intelligence report supports the dataset’s authenticity, noting internal consistency and current timestamps.
Recommendations for Affected Parties
Franchisees and platform operators are urged to immediately rotate all live Stripe keys and Worldpay credentials. Sentry DSN endpoints should be updated to prevent unauthorized telemetry access.
A comprehensive audit of the QikServe/Access Hospitality API logs is recommended to detect any unauthorized activity. Additionally, UK and European operators must evaluate their GDPR notification responsibilities, as the breach involves sensitive contact and operational data.
Stay informed by following us on Google News, LinkedIn, and X for daily updates on cybersecurity. Contact us if you have stories to share.
