In January, quick-serve restaurant chain the Wendy’s Co. first publicly admitted it was investigating claims that an unspecified number of its locations were the victims of a data breach. Nearly seven months later, after several attempts at quantifying the impact of the breach, Wendy’s is now reporting that 1,025 of its U.S. locations were affected by point-of-sale (POS) malware.
Wendy’s had originally claimed in May that the POS malware affected fewer than 300 out of a total of approximately 5,500 franchised locations. In June, the restaurant chain reported that that number was in fact larger than 300, with an additional 50 Wendy’s franchised locations identified as being part of the breach.
Now with the new disclosure released on July 7, Wendy’s is reporting that the size of the breach is actually about triple that, with 1,025 locations across the U.S. affected.
According to Wendy’s, two different malware attacks impacted its locations. The first attack was the one that was reported in May, while the June disclosure and the new update on July 7 were about a separate malware attack. In a statement, Wendy’s noted that the May malware targeted payment card information, including credit or debit card number, expiration date, cardholder verification value and service code, but did not target customer names. In contrast, the malware first disclosed in June was able to gain access to customer names.
“Working closely with third-party forensic experts, federal law enforcement and payment card industry contacts as part of its ongoing investigation, the Company has determined that specific payment card information was targeted by the additional malware variant,” Wendy’s stated. “This information included cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code.”
The full list of affected locations, which shows that the breaches ran from Dec. 2, 2015 until June 8, 2016, can be found here.
According to Wendy’s investigation, the root cause of the breaches appears to be a remote access attack against the POS service provider. Somehow the service provider’s access credentials were compromised and the attackers were able to gain access and then deploy malware on individual restaurant POS systems.
Of note, for both of the malware attacks against Wendy’s, only franchised restaurants were impacted and not company-owned restaurants, which have a different POS system in place.
“We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures,” Todd Penegor, president and CEO, said in a statement.
The disclosure that more locations were victims of a breach than was first reported isn’t surprising given the disclosure timeline. When Wendy’s first confirmed the breach in May, it clearly stated that it was still continuing its investigation. The disclosure of additional victims in June, along with the disclosure of a second malware attack, was a direct result of that continuing investigation. Wendy’s findings that even more of its restaurants were impacted than previously thought were a function of the company doing its due diligence, which can take time.
What is surprising, however, is that although the malware attacks started last December, in some locations they ran until June without being detected. That means that attackers could well have had unfettered access to POS systems and countless customer credit cards that ran through those systems.
The fact that the POS malware didn’t impact Wendy’s corporate-owned stores is also noteworthy, as it clearly indicates that Wendy’s has some form of IT security regimen in place that was able to deflect or deter attackers. Franchised locations were the weak link because, for whatever reason, they do not run the same POS system as Wendy’s corporate-owned stores do and apparently don’t have the same level of security.
Also of note is that the attack is being attributed to a credential breach at the POS service provider. This is an all too common root cause of attack, where credentials are stolen by way of some form of phishing attack and then reused by attackers. It’s not clear if the third-party service provider made use of any form of multifactor authentication, which potentially could have mitigated the risk of a simple password theft. It’s also not clear if the third-party provider ran any form of monitoring technology that looked for outliers, like a remote code execution or data exfiltration to an unauthorized location.
Attackers have a playbook. It’s one that often begins with stolen credentials, but the reality is that with a proper set of controls and processes in place, that shouldn’t necessarily lead to a data breach. That’s a lesson that Wendy’s franchise owners have now learned the hard way.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.