A threat actor claimed on February 22, 2026, to have leaked what they are calling the “Wendy’s International Franchise Database,” exposing sensitive operational configurations, franchisee contact data, and live payment integration credentials across multiple food service brands.
No public acknowledgment has been issued by Wendy’s US or Wendy’s UK at the time of writing, and The Access Group, whose QikServe platform is the likely underlying infrastructure, has also not released a statement.
The leaked dataset reportedly contains franchisee records, including full physical addresses, latitude/longitude coordinates, and contact email addresses.
Alongside location data, the dump includes day-by-day operational configurations, opening hours with pickup and delivery flags, next available ordering slots, internal venue status (ACTIVE), and timezone/locale settings.
Active promotional records with creation and update timestamps confirmed as recent as February 2026 validate the dataset as current and not archival.
The most critical exposure involves live payment integration credentials. The database allegedly contains Worldpay Access configurations with Apple Pay and Google Pay merchant IDs, multiple Stripe pk_live publishable keys, and a Sentry DSN (Data Source Name).
While Stripe publishable keys are client-side by design, their combination with merchant IDs and Sentry DSN credentials broadens the attack surface considerably.
A leaked Sentry DSN can allow adversaries to inject fraudulent telemetry, monitor application errors, and infer backend infrastructure details. Per-venue feature flags were also exposed, revealing which platform modules are active at each location.
Multi-Brand Platform Link to QikServe
Sample records in the leak include Wendy’s Oxford (UK), Brackley Pub, Sbarro Colne (inside a fuel station), City Mill Bakes (Gibraltar), and KFC Nitra (Slovakia).
The presence of multiple unrelated food service brands sharing the same database architecture strongly indicates the breach originates from a shared hospitality SaaS platform, almost certainly QikServe, now part of The Access Group.
The Access Group acquired QikServe in September 2024; the platform is deployed in over 8,000 outlets across more than 40 countries, processing hundreds of millions of transactions and over £3 billion in digital sales annually.
The threat intelligence report assigns a confidence rating of 4 out of 4, citing internal consistency across all sample records, timestamps current through 2026, and a database structure matching known hospitality SaaS online-ordering backends.
Affected platform operators and franchisees should treat the following as urgent. All live Stripe publishable keys and Worldpay merchant credentials should be rotated immediately, as their pairing with merchant IDs and feature configs creates exploitable transaction flows. Sentry DSN endpoints should be regenerated to cut off any adversarial access to telemetry.
A full audit of the QikServe /Access Hospitality API access logs is advised to identify unauthorized queries. UK and European franchisees must also assess GDPR notification obligations under the UK GDPR and EU GDPR Article 33, given that franchisee contact data and operational PII appear in scope.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
