Wendy’s, the popular and widespread US fast-food chain, is investigating a possible payment card data breach.
The company was notified about the possibility by its payment industry contacts earlier this month, and it has hired a cybersecurity company to investigate the matter.
“We began investigating immediately, and the period of time we’re looking at the incidents is late last year,” Wendy’s spokesman Bob Bertini told Brian Krebs. “We know it’s [affecting] some restaurants but it’s not appropriate just yet to speculate on anything in terms of scope.”
“POS systems have a lot of security vulnerabilities, making it very easy for hackers to steal credit card information,” noted Dodi Glenn, VP of Cyber Security at PC Pitstop.
“As of now, the Wendy’s breach is speculation – they were alerted by individuals in the banking industry who noticed several credit cards with a matching patch of fraudulent charges, that were also used at Wendy’s. Also, a lot of these fast food chains are franchised, so there may be issues in ‘best security practices’ for the owner.”
“This could be a supersized headache for consumers looking for their comfort food fix and instead finding their personal and financial data may have been exposed,” commented Adam Levin, Chairman of IDT911.
“Restaurant chains are prime targets for cybercriminals because they store a treasure trove of data on their Point Of Sale systems. POS systems have become Points of Sabotage where hackers are looking to steal personal data and payment card information which can be sold on the black market, used for identity theft schemes or to counterfeit cards. Consumers should be on high alert and check their accounts on a daily basis for any suspicious charges or debits. They may also want to sign up for transactional monitoring from their bank, credit union or credit card companies notifying them any time there is activity in their accounts.”
Vann Abernethy, senior technical expert at NSFOCUS IB, says that this incident and other like this should serve as a wake-up call for companies, the payment card industry and consumers alike.
“Many banks have been rolling out new chip-based cards (EMV) recently. This is a good step in the right direction for preventing card information theft and duplication, and adding an additional authentication factor would be even better,” he pointed out, but noted that organizations should also implement end-to-end encryption and/or tokenization.
“EMV prevents duplication via a one-time unique authentication, and having that second factor (for example, a PIN) makes this even stronger. The weakness in the system is the transaction between the card reader, the Point-of-Sale (POS) system and the card issuer for verification. End-to-end (E2E) encryption starting at the card reader would go a long way to fixing the issue.”