The Wendy's Company yesterday publicly identified over 1,000 U.S. franchised locations that were affected by two variants of point-of-sale malware discovered earlier this year, shedding new light on a previous warning from the fast-food giant that the true number of compromised locations were “considerably higher” than the 300 originally estimated.
Last May, the Dublin, Ohio-based company originally reported a data breach resulting from a POS malware attack, only to admit in June that another variant of malware was found at even more locations. After collaborating with investigators, Wendy's was able to confirm that this new variant stole specific payment card information, including cardholder names, credit and debit card numbers, expiration dates, cardholder verification values and service codes.
“We are committed to protecting our customers and keeping them informed. We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyberattacks involving some Wendy's restaurants,” said Todd Penegor, President and CEO, in a new press statement. “We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures.”
The company continues to hold steadfast that no corporate locations have been affected – only franchised locations. The attacks began as far back as late fall 2015, and both variants of malware were introduced into Wendy's POS systems via a compromised third-party vendor's credentials.
“Unfortunately, the back door was left open, and once the back door is compromised, the ability to move laterally is very easy. Once inside hackers have access to the full network and can easily plant malware on point of sales,” stated Stephen Gates, chief research intelligence analyst at enterprise network security provider NSFOCUS, in comments emailed to SCMagazine.com. “That's the whole point of these types of attacks, and this one was completely motivated around monetary gain.”
Wendy's latest announcement unleashed a steady stream of criticism from members of the cybersecurity industry.
“What they [Wendy's] have shown over the past six months is that the scope of the malware infection is still unknown,” said Brad Bussie, director of product management at data security software company STEALTHbits Technologies, in emailed comments to SCMagazine.com. “When a company can no longer trust its end-point servers operating globally, drastic actions may be in order. The reputation of Wendy's is at stake and the quickest and most controlled way to eradicate the hack is to decommission the current stores' infrastructure. This approach will need precise orchestration, as none of the existing systems can be allowed to talk to the newly deployed systems.”
Matthias Maier, security evangelist at big-data software company Splunk, suggested in his own emailed comments that other retailers and restaurant chains should learn from this incident and place greater emphasis on early attack detection. “To identify suspicious behavior and malicious activity early, security teams need to take an analytics-driven approach, leveraging machine learning and anomaly detection, and ensuring they have the ability to analyze activities back over weeks or even months,” wrote Maier. “This will help organizations spot any potential indicators of a compromise.”
Wendy's is already the subject of multiple class-action lawsuits filed on behalf of affected cardholders and the financial institutions that issued payment cards to them. Cybersecurity reporter Brian Krebs had reported earlier this year that financial losses to credit unions from the Wendy's breach is on pace to surpass damages incurred from the high-profile Target and Home Depot breach incidents.
Wendy's is offering one year of complimentary fraud consultation and identity restoration services to all potentially impacted customers, the company stated.