The Wendy’s Company might be the latest household name-brand company to be the victim of a point-of-sale (POS) data breach. The quick-service restaurant chain is now looking into reports that some of its locations were affected by a breach.
In a statement emailed to eWEEK, company officials said that reports indicate fraudulent charges may have occurred elsewhere after payment cards were legitimately used at some of its restaurants.
“We have been working with our payment industry contacts since recently learning of these reports and we have launched a comprehensive investigation with the help of cyber-security experts to gather facts, while working to protect our customers,” Wendy’s stated. “We also are fully cooperating with law enforcement authorities.”
While the investigation is in its early stages, Wendy’s is not yet able to fully determine the complete impact or scope of a potential breach. Though Wendy’s has not yet made an official confirmation if a breach has, in fact, occurred, the company is providing some general guidance for its customers.
“As always, in line with prudent personal financial management, we encourage our customers to be diligent in watching for unauthorized charges on their payment cards,” Wendy’s stated. “Generally, individuals that report unauthorized charges in a timely manner to the bank that issued their card are not responsible for those charges.”
If and when Wendy’s officially confirms a POS breach of some sort, it will join a growing list of restaurants that have reported similar incidents in recent years. Wendy’s might also get lucky as not all alleged POS breaches end up being confirmed. In January 2015, Chick-fil-a began an investigation into an alleged POS data breach. In March 2015, Chick-fil-A said its investigation determined that no POS breach had occurred.
Other restaurants, however, have not been as fortunate. In June 2014, Chinese restaurant chain P.F. Chang’s confirmed that it was the victim of a breach. To minimize the immediate risk of the breach, P.F. Chang’s had to resort to manually imprinting credit cards, instead of using its digital POS terminals. In October 2014, restaurant chain International Dairy Queen confirmed that its Dairy Queen ice cream chain and Orange Julius beverage locations had been impacted by a POS breach.
The Jimmy Johns breach, confirmed in Sept. 2014, was particularly noteworthy. In the Jimmy Johns incident, the blame was placed on third-party POS vendor Signature Systems, which provides payment systems to restaurants.
“Point-of-sale systems are the weakest link in many retail companies, so a breach at Wendy’s isn’t particularly surprising,” Tod Beardsley, security research manager at Rapid 7, told eWEEK.
POS systems frequently feature out-of-date operating systems that are rarely patched and shared passwords across systems, and aren’t often integrated with the usual set of IT security controls, he said, adding that POS systems typically store and forward the most valuable data for criminal organizations: credit card data. In Beardsley’s view, POS systems often exist in a sweet spot of “vulnerable” and “valuable” from the perspective of attackers, which is why breaches are reported repeatedly.
“Retail organizations that have the most to lose from a breach should be empowered to have some serious conversations with their POS vendors to make sure that the fundamentals of security are solved in the short term,” Beardsley said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.