At the end of January, the first reports publicly emerged about a possible point-of-sale (POS) data breach at an undisclosed number of locations affiliated with the Wendy’s Company and its chain of quick-serve restaurants. On May 11, as part of Wendy’s fiscal 2016 first-quarter financial report, the company officially confirmed that some of its locations were, in fact, the victim of a POS data breach.
While Wendy’s has not yet fully completed its investigation into the breach, it does have some preliminary data on what happened. According to Wendy’s disclosure, the breach likely first started in the fall of 2015 and involved the installation of malware by way of compromised third-party vendor credentials. Of note, though, is the fact that the malware was only found in Wendy’s franchisee-owned stores and not in corporate-owned Wendy’s locations.
Wendy’s has found that the malware affected “fewer than 300” franchised locations out of a total of approximately 5,500 locations.
The corporate-owned Wendy’s stores used the Aloha point-of-sale system, which was not affected by the malware. Additionally, Wendy’s stated that the majority of its franchised restaurants use the same POS system, and a plan for full implementation of the Aloha system throughout North American restaurants is set to be completed by the end of 2016.
“The company has worked aggressively with its investigator to identify the source of the malware and quantify the extent of the malicious cyber-attacks, and has disabled and eradicated the malware in affected restaurants,” Wendy’s stated. “The Company continues to work through a defined process with the payment card brands, its investigator and federal law enforcement authorities to complete the investigation.”
Wendy’s also admitted that it has found approximately 50 franchise restaurants that “are suspected of experiencing, or have been found to have, unrelated cyber-security issues.” Wendy’s noted that it is working with its franchisees to fix the security issues.
Wendy’s now joins a list of retail restaurant chains that have been the victims of POS malware data breaches. In June 2014, Chinese restaurant chain P.F. Chang’s confirmed that it was the victim of a breach. Jimmy Johns confirmed its data breach in September 2014, placing the blame on third-party POS vendor Signature Systems. In October 2014, restaurant chain International Dairy Queen confirmed that its Dairy Queen ice cream chain and Orange Julius beverage locations had been affected by a POS breach.
The fact that Wendy’s was breached doesn’t surprise security experts.
“I don’t find anything particularly surprising about Wendy’s announcement, except perhaps that they have waited until now to disclose the breach,” Tyler Cohen Wood, cyber-security advisor for Inspired eLearning, told eWEEK. “It’s also very important for enterprises to report breaches in a timely manner to protect their customers and financial institutions.”
Tod Beardsley, security research manager at Rapid 7, commented via email that the fact that only 5 percent of Wendy’s locations were impacted by the POS malware is actually likely a contributing factor to the Wendy’s breach success. He said a small footprint is much more difficult to detect since the patterns resulting from the fraud take longer to materialize.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.