On Wednesday (May 11), Wendy’s said that “fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants” had malware in their POS systems and another “approximately 50 franchise restaurants are suspected of experiencing, or have been found to have, unrelated cybersecurity issues.” This comes on the heels of a lawsuit that accused Wendy’s of a wide range of IT security shortcomings.
In the new statement, Wendy’s did not identify which POS was impacted, but it strongly implied that new Aloha POS systems—currently being installed throughout the company, with the stated goal of full deployment by “year-end 2016″—were not infected.
Wendy’s “has worked aggressively with its investigator to identify the source of the malware and quantify the extent of the malicious cyber-attacks, and has disabled and eradicated the malware in affected restaurants. The Company continues to work through a defined process with the payment card brands, its investigator and federal law enforcement authorities to complete the investigation,” Wendy’s said.
This follows a federal lawsuit filed against Wendy’s by the First Choice Federal Credit Union, accusing the fast-food chain of negligence. “The data breach was the inevitable result of Wendy’s pervasive and inadequate approach to data security. Wendy’s data security deficiencies were so significant that (cyberthieves) installed malware and remained undetected for weeks, or possibly months, until outside parties notified Wendy’s that there may have been a breach based on fraudulent transactions that had taken place after the (cyberthieves) had used or sold the customer data,” the lawsuit said.
One point that the lawsuit hammered home against Wendy’s was, based on the details in the lawsuit, Wendy’s actually handling a data-breach disclosure properly.
After noting various reports of Wendy’s data being sold by thieves, “Wendy’s, instead of acknowledging the breach and alerting all financial institutions out of caution, stated that ‘it’s not appropriate just yet to speculate on anything in terms of scope.’ On January 27, 2016, Wendy’s announced that it was investigating reports of ‘unusual activity’ on payment cards used in some of its restaurants, but refused to acknowledge that a data breach had occurred, reiterating that ‘it is difficult to determine with certainty the nature or scope of the potential incident.'”
On that point, I’m with Wendy’s. The initial indications of fraud—often from card brands and then law-enforcement, both looking for common points of purchase—are invariably inaccurate. Even the initial security forensic results are often wrong, as the first things discovered are the misleading clues that the attackers planted after they deleted their actual tracks. These things take time and it’s critical that merchants speak accurately and precisely about databreaches, waiting until a more complete and reliable portrait emerges.
That concludes the defending Wendy’s portion. Let’s back to the allegations. “A CAMS alert sent to at least some class members by VISA indicates that the ‘exposure window’ for the Wendy’s data breach runs from October 26, 2015 through March 10, 2016. This means that Wendy’s failed to prevent or stop the hackers from stealing Customer Data for approximately five months,” the filing said. “Taking advantage of Wendy’s lax data security and delayed notification to financial institutions and the public, hackers were able to gather large amounts of Customer Data. With that data, unknown perpetrators were able to make hundreds of thousands or even millions of fraudulent undetected purchases on credit and debit cards that had been issued by Plaintiff and members of the Class. Unknown perpetrators also specifically targeted and drained debit accounts with large amounts of money in them, concentrating the damages and causing individual financial institutions, such as Plaintiff and members of the Class, to suffer losses that are much greater than what was experienced after the Home Depot or Target data breaches.”
It then gets into questions of POS security. “In 2012, Wendy’s announced plans to implement a new POS platform for the entire Wendy’s system in the U.S. and in Canada. Wendy’s admitted in connection with a lawsuit against a franchisor that Wendy’s existing POS systems were outdated and that a system wide POS upgrade was necessary.However, Wendy’s franchisee, DavCo Restuarants LLC, in its counterclaim alleged that the new POS system has been fraught with serious technical and operational problems and that Wendy’s has acknowledged such problems and called them unreasonable. DavCo further alleged that Wendy’s has issued an indefinite suspension of most installations of the new POS system. Specifically, DavCo alleges that Wendy’s had previously rejected the POS system it was recommending its franchisees install. Moreover, the allegations further state that the POS software at issue has stability issues, repeatedly froze and disconnected from the store’s network.”