Fast-food chain Wendy’s disclosed it was a victim of a point-of-sale system attack that installed malware on PoS computers affecting 300 franchise restaurants. The disclosure was part the company’s first quarter 2016 SEC filings on Wednesday and is the most complete account to date of a 2015 data breach.
“In January, we began to investigate unusual payment card activity at our restaurants, and today we went a lot further,” said Bob Bertini, Wendy’s spokesperson in an interview with Threatpost. “We are sharing much more about the breach that involved less than 300 franchise restaurants.”
Bertini told Threatpost that part of a computer forensic investigation into the breach also revealed 50 additional Wendy’s restaurants had “unrelated cyber security issues.”
In its SEC filings, Wendy’s went further and said starting in the fall of 2015, malware was installed through the use of compromised third-party vendor credentials and targeted a PoS system used in a minority of its stores. According to Wendy’s, the breach impacted about 5 percent of the company’s 5,500 North American restaurants. Wendy’s also said it dodged a bullet because the malware did not infect its primary Aloha PoS system used in most of its restaurants.
“The Company has worked aggressively with its investigator to identify the source of the malware and quantify the extent of the malicious cyber-attacks, and has disabled and eradicated the malware in affected restaurants,” the company wrote in its 2Q filings.
Bertini told Threatpost that Wendy’s has turned the investigation over to a third-party forensic investigation company. He said that the investigation is drawing to a close and expects a report soon. “We will share additional details in the coming weeks,” he said.
For cyber security experts, the Wendy’s data breach is representative of a number of recurring themes associated with of POS system attacks. One is the targeting of older magnetic strip card PoS systems still vulnerable to malware that haven’t been upgraded to chip-and-PIN bankcard technology. The second is a trend where attackers are hungry for credentials that can later be used to pull off financially motivated crimes.
The recent Verizon Data Breach Investigations Report said that 12 percent of opened phishing emails targeting businesses contained malicious attachments designed to steal credentials.
“I’d expect that the attack was enabled by weak credentials instituted by the unnamed secondary POS vendor,” wrote Tod Beardsley, security research manager at Rapid7 in a research note in response to the Wendy’s breach.
Another security expert called the breach “Groundhog Day all over again.” Steven Grossman, VP program management at Bay Dynamics said, “Three years after Target we are continuing to see a long list of companies hit by these same types of attacks. The PoS system should be a company’s crown jewel and needs to be protected at all costs.”
Wendy’s is also being criticized for a slow response between the initial breach (believed to have occurred in October 2015), the publicly disclosure of the breaches in January, and the time it took Wendy’s to neutralize the attack in March. Banks and credit unions are miffed at Wendy’s, accusing it of not moving fast enough to stop the breach. They also claim that Wendy’s was holding on to customer bankcard too long, increasing risk of theft.
One of those financial institutions is First Choice Federal Credit Union which is suing Wendy’s in a Federal Court in Pittsburgh, Pa.. In lawsuit filed in April, it is claiming the fast-food chain “refused to take steps to adequately protect its computer systems from intrusion.” The suit claims that Wendy’s took nearly five-months to stop the data breach.
“This disconnect between incentives and risks due to the interconnected relationships between retailer, POS vendor, card holders, and card issuers makes this sort of crime very difficult to combat in a practical and consistent way, and inconsistencies in systems is where systemic crime lives and breathes,” Beardsley said.