Wendy's Admits Data Breach Was Worse Than It Originally Thought

The quick-serve restaurant change admits to a wider impact from a breach it first publicly disclosed in May.

Wendy's data breach

It's often difficult for an organization to initially fully understand the impact of a breach, and such was the case with one suffered by the Wendy's Co. and its chain of quick-serve restaurants. On June 9, Wendy's publicly stated that a breach that in May it first admitted happened was worse than initially reported.

The Wendy's breach has been an ongoing story in 2016, with allegations of a possible breach first emerging at the end of January. It took Wendy's five months to officially confirm that a breach occurred, reporting on May 11 that fewer than 300 of its restaurants were impacted.

The new June 9 disclosure from Wendy's now reveals that the breach was in fact wider.

"Based on the preliminary findings of the previously-disclosed investigation, the Company reported on May 11 that malware had been discovered on the point of sale (POS) system at fewer than 300 franchised North America Wendy's restaurants," Wendy's stated. "An additional 50 franchise restaurants were also suspected of experiencing, or had been found to have, other cybersecurity issues."

Corporate-owned Wendy's stores were not impacted by the breach, and Wendy's is blaming attacks against third-party POS service providers as being the cause of the breach.

As to why Wendy's is now expanding the impact of the breach, the company noted that it only recently discovered a variant of the original malware that breached the franchised locations. The malware variant apparently was similar in nature to the original, but the execution is different.

"The attackers used a remote access tool to target a POS system that, as of the May 11th announcement, the Company believed had not been affected," Wendy's stated.

Security experts contacted by eWEEK had mixed views on the expanded Wendy's breach disclosure.

"The only surprise here is the sloppiness of the original investigation that was not thorough enough to find all infections, not merely those strictly identical to something already observed," John Bambenek, senior threat researcher at Fidelis Cybersecurity, told eWEEK.

Michael Covington, vice president of product at Wandera, said that in his view the biggest surprise coming out of the Wendy's breach investigation is the sheer amount of time it took the company to notice that it had been hacked.

"We are now more than five months into the investigation, and I'm still not convinced the full impact of this breach is understood," Covington said.

Breach investigations across large, distributed organizations can be complicated and difficult operations to conduct. It is very common for companies to discover malware in one department or location, take all the necessary steps to contain and eliminate the compromise, get things back online and assume the case is closed, when in fact it's really not, said Georgia Weidman, founder and CTO at Shevirah.

"Sophisticated malware will quickly pivot across networks, abusing trust relationships even among related organizations such as a supplier relationship to gain a foothold in additional targets," Weidman told eWEEK. "If the infection is only partially cleaned, as Wendy's has recently discovered, the remaining compromised hosts continue to perform malicious activity."

There are multiple compliance regulations in place, including the Payment Card Industry Data Security Standard (PCI DSS), that aim to mitigate the risks of breaches. According to Young-Sae Song, vice president of marketing at Arctic Wolf Networks, the Wendy's breach was a preventable attack and it is a great example of how PCI standards fail to protect a company from credit card data theft.

"Compliance regulations focus on reporting security control failures rather than protecting against threat detection use cases," Song told eWEEK. "This wasn't the first, and it will not be the last large-scale credit card data breach until companies implement threat detection and response capabilities that can protect against these types of attacks."

POS malware is not a new phenomenon, having been actively used in attacks against retailers for several years. In 2014, the U.S. Secret Service warned about the risks of Backoff POS malware, which at the time was thought to have infected systems at more than 600 businesses.

Ann Barron-DiCamillo, CTO of Strategic Cyber Ventures, said it's not surprising to see two or more malware variants inside networks used for different purposes. Modern malware developers are constantly evolving and improving their variants, she said.

"It takes time to properly evaluate large networks, and things found early on are usually only the tip of the iceberg," Barron-DiCamillo said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.