At least 1,025 Wendy’s locations were hit by a malware-driven credit card breach that began in the fall of 2015, the nationwide fast-food chain said Thursday. The announcement marks a significant expansion in a data breach that is costing banks and credit unions plenty: Previously, Wendy’s had said the breach impacted fewer than 300 locations.
An ad for Wendy’s (in Russian).
On January 27, 2016, this publication was the first to report that Wendy’s was investigating a card breach. In mid-May, the company announced in its first quarter financial statement that the fraud impacted just five percent of stores. But in a statement last month, Wendy’s warned that its estimates about the size and scope of the breach were about to get much meatier.
Wendy’s has published a page that breaks down the breached restaurant locations by state.
Wendy’s is placing blame for the breach on an unnamed third-party that serves franchised Wendy’s locations, saying that a “service provider” that had remote access to the compromised cash registers got hacked.
For better or worse, countless restaurant franchises outsource the management and upkeep of their point-of-sale systems to third party providers, most of whom use remote administration tools to access and manage the systems remotely over the Internet.
Unsurprisingly, the attackers have focused on hacking the third-party providers and have had much success with this tactic. Very often, the hackers just guess at the usernames and passwords needed to remotely access point-of-sale devices. But as more POS vendors start to tighten up on that front, the criminals are shifting their focus to social engineering attacks — that is, manipulating employees at the targeted organization into opening the backdoor for the attackers.
As detailed in Slicing Into a Point-of-Sale Botnet, hackers responsible for stealing millions of customer credit card numbers from pizza chain Cici’s Pizza used social engineering attacks to trick employees at third party point-of-sale providers into installing malicious software.
Perhaps predictably, Wendy’s has been hit with at least one class action lawsuit over the breach. First Choice Federal Credit Union reportedly alleged that the data breach could have been prevented or at least lessened had the company acted faster. That’s difficult to argue against: The company first learned about the breach in January 2016, and stores were still being milked of customer card data six months later.
More lawsuits are likely to come. As noted in Credit Unions Feeling Pinch in Wendy’s Breach, the CEO of the National Association of Federal Credit Unions believes the losses their members have suffered from cards compromised at Wendy’s locations so far eclipse those that came in the wake of the huge card breaches at Target and Home Depot.
People who are in the habit of regularly eating at or patronizing a company that is in the midst of responding to a data breach pose a frustrating challenge for smaller banks and credit unions that fight card fraud mainly by issuing customers a new card. Not long after a new card is shipped, these customers turn around and unwittingly re-compromise their cards, prompting institutions to weigh the costs of continuously re-issuing versus the chances that the cards will be sold in the underground and used for fraud.
A number of readers have written in this past week apparently concerned about my whereabouts and well-being. It’s nice to be missed; I took a few days off for a much-needed staycation and to visit with friends and family. I’m writing this post because some stories you just have to see through to the bitter end. But fear not: KrebsOnSecurity will be back in full swing next week!