Data Breach , Fraud , Payments Fraud
Malware Infected POS System Used at Fewer Than 300 LocationsRestaurant chain Wendy's has confirmed that fewer than 300 of its approximately 5,500 franchised locations in North America were affected by a fall 2015 malware attack that infected an unnamed point-of-sale system not used at its other locations.
See Also: Secure, Agile Mobile Banking: Keeping Pace with Last Best User Experience
The breach highlights why all franchisees under a corporate brand should use the same well-tested POS system, says Avivah Litan, financial fraud expert and Gartner analyst. "It's a good idea to standardize on secure EMV-certified POS equipment across stores as soon as possible," she says. "This can help avoid security breaches."
In its first quarter earnings statement released May 11, Wendy's says it now believes malware was installed "through the use of compromised third-party vendor credentials."
The third-party vendor was not named. But the statement adds that the NCR Aloha POS system, which is used at most of its locations, does not appear to have been affected.
"The Aloha system is already installed at all company-operated restaurants and in a majority of franchise-operated restaurants, with implementation throughout the North America system targeted by year-end 2016," Wendy's states. "The company expects that it will receive a final report from its investigator in the near future."
The restaurant chain also notes that the firm it hired to investigate the breach has identified approximately 50 additional franchised locations that "are suspected of experiencing, or have been found to have, unrelated cybersecurity issues. The company and affected franchisees are working to verify and resolve these issues."
Wendy's did not respond to ISMG's request for further comment.
The company detected the breach in January, after numerous card issuers traced suspicious payment card activity back to its restaurants (see 'Where's the Breach?').
In April, Pennsylvania-based First Choice Federal Credit Union filed a breach-related class action lawsuit against Wendy's, claiming the restaurant chain failed to meet industry best practices for securing card data by not being EMV compliant by the Oct. 1, 2015, fraud liability shift date (see Suit Against Wendy's Cites Lack of EMV).
Breadth of Breach
While Wendy's has not revealed the number of cards exposed in the breach, some card issuers tell Information Security Media Group that they believe the total is relatively small.
"I am sure Wendy's management is relieved that the damage was somewhat contained," Litan says. "But I think it's as significant as originally expected. Seems that the days of mega Target-size breaches are behind us."
But John Buzzard, the former head of FICO's Card Alert Service who now works as director of product management for security firm Rippleshot Fraud Analytics, says the Wendy's breach, despite the relatively small number of locations affected, had a significant impact.
"This breach has been extremely virulent and card issuers have struggled to contain the losses," he says. "The criminals have played a clever game of using the stolen cards within roughly the same ZIP code as the account holder. This is a tough play for issuers to deal with. And some industry insiders feel that this breach isn't yet contained, due to new instances of fraud outside the breach timeline."
Ed Cabrera, vice president of cybersecurity strategy at security firm Trend Micro, and a former CISO for the U.S. Secret Service, says the Wendy's incident points to the need for updated POS systems.
"This demonstrates that the transition to EMV and updating systems is paramount for the modern enterprise. It reflects the need to invest in both EMV and breach-detection technology to establish a holistic approach, shifting from incident response to proactive engagement to mitigate pervasive threats."
Merchants should go beyond EMV to incorporate additional security layers, including tokenization, says Bob Carr, founder and CEO of Heartland Payment Systems, a payment processing and POS provider that was breached in 2008 (see Heartland's Carr on U.S. Card Security Shortcomings).
In October, shortly after the EMV fraud liability shift took effect, Carr said: "Without tokenization and end-to-end encryption, payment data will still be vulnerable to attack and compromise."