Huge data breach at Wendy’s fast food chain

Another day, another data breach, and this time it is a big one! US fast food chain, Wendy’s, has revealed that they have suffered a breach that has impacted more than 1,000 of their food establishments. Customers’ credit card and debit card information has been compromised, and it is believed that the attack occurred due to malware being installed on the point-of-sale systems.

Screen Shot 2016-07-08 at 23.27.12

The news of a data breach at Wendy’s is not too surprising, as the company admitted several months ago in February that they were looking into a possible breach. Over the months, the extent of this breach has slowly been revealed. In May, Wendy’s confirmed that they located malware on their PoS systems. They then gave an update stating that details were stolen from fewer than 300 locations. These details include debit and credit card numbers, service codes, cardholder verification values, and expiration dates. However, if that was not bad enough, the fast food chain has just revealed that actually more than 1,000 venues were impacted.

Wendy’s have reassured customers that all of the locations are now free of malware. Nevertheless, this is unlikely to put customers at ease, as they worry whether they will be victims of fraud. The company explained that it is probable that the cyber attack came from the remote access credentials of the franchisees being compromised. This meant that the cyber criminals were able to install malware, which then swiped details whenever someone paid via their debit or credit card. Of course, considering the number of updates that there have been already, there could well be some more information on the way.

This incident should be a warning sign to all businesses, as it shows how easily point of sale systems can be compromised. If you don’t have efficient cyber security in position at present, it is likely that access to your PoS systems is available via all avenues, from extranet to email to social media. This means that it is easy for hackers to find a way in. Wendy’s should have taken the necessary steps to limit this access.

To do this, LAN segregation is a must. At Retail Secure, we achieve this by creating a separate Cardholder Data Environment (CDE) whereby access is restricted. This makes it extremely difficult for cyber criminals to find a way in and compromise your payment systems. It also means you comply with PCI DSS, which is a standard that is applicable to all UK businesses that take any payments via debit or credit card. If you are not compliant, you could face huge fines, and the reputational damage is something that is difficult to come back from.

Now, Wendy’s face the challenging process of rebuilding the trust that has been broken. You only have to look at the decline in TalkTalk’s profits to see how difficult this is. Don’t put your business in this position to begin with!