Wendy’s confirmed on Wednesday that malicious software affected PoS (point-of-sale) devices in around 300 of the burger chain’s 5,500 franchised stores, or about five per cent of all its restaurants in North America.
The update on Wednesday quantifies the extent of a previously announced breach and came as Wendy’s announced its first quarter financial results, in themselves of little or no relevance to Reg readers. The section covering an “update on investigation into unusual credit card activity”, however, sheds fresh light on the hack against the fast food outlet’s cash registers by as yet unidentified cybercrooks. Wendy’s said it has cleaned up the malware as well as finding further unrelated problems in its stores as part of an ongoing security response operation.
As previously reported, the Company engaged cybersecurity experts earlier this year to conduct a comprehensive investigation into unusual credit card activity at some Wendy's restaurants. Investigation into this activity is nearing completion. Based on the preliminary findings of the investigation and other information, the Company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy's restaurants, starting in the fall of 2015. These findings also indicate that the Aloha point of sale system has not been impacted by this activity. The Aloha system is already installed at all Company-operated restaurants and in a majority of franchise-operated restaurants, with implementation throughout the North America system targeted by year-end 2016. The Company expects that it will receive a final report from its investigator in the near future.
The Company has worked aggressively with its investigator to identify the source of the malware and quantify the extent of the malicious cyber-attacks, and has disabled and eradicated the malware in affected restaurants. The Company continues to work through a defined process with the payment card brands, its investigator and federal law enforcement authorities to complete the investigation.
Based upon the investigation to date, approximately 50 franchise restaurants are suspected of experiencing, or have been found to have, unrelated cybersecurity issues. The Company and affected franchisees are working to verify and resolve these issues.
Investigative journalist Brian Krebs reports that affected Wendy’s locations were still leaking customer card data up until early April, weeks after he broke news of the breach in late January. This has caused rumbles of discontent from banks, Krebs adds.
Security experts are not altogether surprised that the breach - one of a growing series centred on malware infecting PoS terminals at hotels and retail outlets - took months to contain.
Tod Beardsley, security research manager at Rapid7, commented: "The Wendy's breach illustrates a number of recurring themes that we see with point-of-sale (PoS) system-based financial crime. The criminal activity was ongoing, lasting at least six months from detection to containment. The length of time the compromise went undetected, then unmitigated, is troubling news for any retailer that depends on a third party POS vendor for security. The fact that the breach affected only 5 per cent of Wendy's locations is certainly a contributing factor to its success; a small footprint is much more difficult to detect, since the patterns resulting from the fraud take longer to materialise.”
“It's easy to say this was Wendy's problem – and Wendy's is certainly taking on some of the responsibility by working hard to investigate and mitigate the issue — but I’d expect that the attack was enabled by weak credentials instituted by the unnamed secondary PoS vendor,” he added. ®