Wendy’s Franchise Database Allegedly Breached: Sensitive Data Exposed
On February 22, 2026, a threat actor claimed to have leaked the Wendy’s International Franchise Database, potentially exposing sensitive operational configurations, franchisee contact information, and live payment integration credentials across multiple food service brands.
As of now, neither Wendy’s US nor Wendy’s UK has publicly acknowledged the alleged breach. Similarly, The Access Group, whose QikServe platform is believed to be the underlying infrastructure, has not released a statement regarding the incident.
Details of the Alleged Data Leak
The leaked dataset reportedly includes comprehensive franchisee records, encompassing full physical addresses, latitude and longitude coordinates, and contact email addresses. In addition to location data, the dump contains detailed operational configurations such as daily opening hours with pickup and delivery options, next available ordering slots, internal venue statuses marked as ACTIVE, and timezone/locale settings.
Notably, active promotional records with creation and update timestamps as recent as February 2026 suggest that the dataset is current and not archival.
Exposure of Payment Integration Credentials
One of the most critical aspects of this alleged breach is the exposure of live payment integration credentials. The database purportedly contains Worldpay Access configurations with Apple Pay and Google Pay merchant IDs, multiple Stripe `pk_live` publishable keys, and a Sentry DSN (Data Source Name).
While Stripe publishable keys are designed for client-side use, their combination with merchant IDs and Sentry DSN credentials significantly broadens the potential attack surface. A leaked Sentry DSN could allow adversaries to inject fraudulent telemetry, monitor application errors, and infer backend infrastructure details. Additionally, per-venue feature flags were exposed, revealing which platform modules are active at each location.
Connection to QikServe Platform
Sample records in the leak include various food service brands such as Wendy’s Oxford (UK), Brackley Pub, Sbarro Colne (inside a fuel station), City Mill Bakes (Gibraltar), and KFC Nitra (Slovakia). The presence of multiple unrelated brands sharing the same database architecture strongly indicates that the breach originates from a shared hospitality SaaS platform, most likely QikServe, now part of The Access Group.
The Access Group acquired QikServe in September 2024. The platform is deployed in over 8,000 outlets across more than 40 countries, processing hundreds of millions of transactions and over £3 billion in digital sales annually.
Recommended Actions for Affected Parties
Given the severity of the alleged breach, affected platform operators and franchisees should take immediate action:
– Rotate Credentials: All live Stripe publishable keys and Worldpay merchant credentials should be rotated immediately. Their pairing with merchant IDs and feature configurations creates exploitable transaction flows.
– Regenerate Sentry DSN Endpoints: To cut off any adversarial access to telemetry, Sentry DSN endpoints should be regenerated.
– Audit API Access Logs: A comprehensive audit of the QikServe/Access Hospitality API access logs is advised to identify any unauthorized queries.
– Assess GDPR Notification Obligations: UK and European franchisees must assess their GDPR notification obligations under the UK GDPR and EU GDPR Article 33, given that franchisee contact data and operational personally identifiable information (PII) appear to be in scope.
As the situation develops, it is crucial for all stakeholders to remain vigilant and implement robust security measures to protect sensitive data and maintain customer trust.
