The company reported suspicious activity earlier this year, but the scale of the breach is far bigger than first anticipated.
At least 1,025 of its restaurants were targeted – with debit and credit card information stolen.
The company did not speculate how many people may have been affected, though it did say all of the locations were in the US.
Malware – malicious software – had been installed on point-of-sale systems in the affected locations.
The chain said it was confident the threat had been removed, and was now offering help to customers who may have been affected.
Help includes the offer of one year of “complimentary” fraud protection services.
In a statement outlining the details of the attack, Wendy’s said the malware could have been operational in its restaurants from as early as Autumn 2015.
Suspicious activity was noticed in February of this year. The company went public with this discovery in May – saying it believed around 300 restaurants had been affected.
But with the number rising to more than 1,000, this hack ranks among one of the most significant in US history.
The Wendy’s hack bears some similarity to the attack on Target in 2013. In that breach, around 40 million customers’ details were stolen via malware installed on point-of-sale computers.
Wendy’s has blamed a third-party for the intrusion, saying a “service provider” that had remote access to the till systems was compromised.
The company did not say who that service provider was, nor did it explain why it had remote access to the tills of 1,025 of the firm’s 5,700 restaurants.
The company has set up a page for customers to check if a restaurant they bought food from has been affected.
‘Hungry for burgers’
Security researcher Graham Cluley said it is unlikely that many of those affected will be aware they are at risk.
“For most of us it’s not a red letter day if we go to somewhere like Wendy’s,” he said.
“And people won’t have registered which one they went to and where they were in the country when it happened.”
He also predicted that while the breach may be embarrassing for the firm in the short term, the company would most likely recover quickly.
“I think the average guy on the street has a fairly short memory when it comes to a data breach.
“When you have the choice of walking to Wendy’s which is five yards away, or you walk somewhere else 200 yards away. I think you’ll just go to Wendy’s.
“I’m pretty sure people will just be hungry for burgers again.”