Fast-food chain Wendy's says a cyberattack that stole payment card details affected 1,025 U.S. restaurants owned by franchisees, a far higher figure than first estimated.
See Also: How to Mitigate Credential Theft by Securing Active Directory
In May, Wendy's said fewer than 300 restaurants had been affected by the breach, which saw malware installed on point-of-sale systems. But on June 9, it said additional variants of the malware had been discovered, indicating a deeper breach.
Wendy's has created an online tool where patrons can check if a restaurant they visited was affected by the attacks, with search fields for the state and city.
A search showed customer payment details in some locales were at risk as late as June 10. But the systems are now clean.
"Working with our cybersecurity investigators, the malware has been disabled where it was found," says Bob Bertini, Wendy's senior director of corporate communications, via email.
Two Waves of Attacks
The company appears to have fought a long battle against the hackers since late January when card issuers began noticing fraud patterns linked to payment cards used at restaurants (see 'Where's the Breach?').
"We had two waves of attacks, both starting in the fall," Bertini says.
The first wave of malware was disabled in March, and the second wave - discovered in May - was cleaned up last month, Bertini says.
The finding of a second wave of malware shows how hard it can be for breached entities to figure out the extent of a compromise, says Avivah Litan, a financial fraud expert and analyst at the consultancy Gartner.
"This comes as no surprise because Wendy's is not in business to audit its systems beyond what PCI requires, and stealthy criminals don't leave many traces of their activities," Litan says. "This lack of effective auditing and monitoring is also why the breach went on so long unnoticed."
The data exposed included Track 1 and Track 2 data, which contains an account holder's name, the primary account number, expiration date, service and verification codes.
In May, Wendy's said the malware infected one type of POS system, which it did not identify. The attacks did not affect restaurants that use NCR Aloha POS, which is installed at locales directly owned by the company and in the majority of franchises. Wendy's has about 5,500 franchises in North America.
Compromise via Third-Party Credentials?
The cybercriminals are believed to have used access credentials from other service providers that had access to Wendy's systems in order to deploy malware on franchisees' POS systems, writes Wendy's CEO and President Tom Penegor in a statement.
That has been a common technique employed by cyberattackers. Rather than directly targeting an organization, hackers often find weaknesses in the networks of suppliers that have access to their clients' networks.
Target's attackers, for instance, gained access to the retailer through a contactor called Fazio Mechanical Services, which installs refrigeration systems for grocery stores (see Target Vendor Acknowledges Breach).
The contractor maintained a data link with Target for billing and project management purposes. Target suffered a loss of 40 million payment cards and 70 million other records, setting off a years-long chain of lawsuits and legal grief (see Target, Visa Reach Breach Settlement).
The type of malware typically installed on a POS system by an attacker is known as a RAM scraper. The malware collects unencrypted payment cards details from a computer's memory immediately after a card is swiped. The unencrypted payment card information sits only briefly in memory, but for enough time to be collected by the malware.
The seemingly nonstop spate of payment card breaches in recent years has prompted many U.S. retailers to speed their transition to accommodate EMV cards, which have a microchip that cryptographically signs transactions. But EMV doesn't provide a defense against RAM-scraping attacks, according to a white paper from Trend Micro.
Instead, EMV makes captured card data harder to use. If criminals try to clone a payment card by copying stolen payment data, the network should recognize that the card doesn't have the microchip and deny the transaction. But the stolen data could still be used for card-not-present transactions, and regions where payment cards have microchips have typically seen that type of fraud rise.
Nonetheless, due in part to a strong push by the card brands and a liability shift that took effect last October, many U.S. retailers are moving to EMV.
Wendy's Faces Lawsuits
Wendy's breach has already attracted lawsuits. In February, First Choice Federal Credit Union filed a class-action lawsuit in a Pennsylvania federal court alleging that the breach was the "inevitable result of Wendy's pervasive and inadequate approach to data security." The suit seeks compensation for breach-related expenses (see Suit Against Wendy's Cites Lack of EMV).
Ironically, Wendy's has been engaged in a four-year push to upgrade its POS systems, but some franchisees have resisted. In December 2014, Wendy's filed a lawsuit against DavCo., one of its largest franchisees, in part for not moving fast enough to install the NCR Aloha POS system.
DavCo. countered "that the new POS system has been fraught with serious technical and operational problems, and that Wendy's has acknowledged such problems," according to the First Choice Federal Credit Union complaint. DavCo. further alleged that at one point that Wendy's indefinitely suspended most installations of Aloha.