The food chain confirmed Wendy’s data breach. How did it happen? And what can we learn from the incident?
Wendy’s Data Breach
A point-of-sale attack happened in Wendy’s. The malware stole credit card data. As a result, it infected 1,025 of its locations.
Wendy’s investigated the incident. According to its report, the breach started in the fall of 2015. They said that the compromised third-party vendor credentials are the cause of the malware.
What made Wendy’s investigate the incident?
Credit unions and card issuers in Ohio noticed unusual card activities. And they traced it back to Wendy’s restaurants. Moreover, the loss of this breach may end up with five to ten times it affected Target and Home Depot.
Additionally, Wendy’s said that they cooperate with security experts and the law. They are also investigating the source of the malware. And how it can affect their operations.
Also, they reported that they have already removed the malware. But, they also said that the incident may affect the other locations. And the estimated count was 50 franchise restaurants.
Besides, they said that the malware is very difficult to detect.
The impact of Wendy’s Data Breach
Wendy’s initial report said that it affected 5% of its operations and locations. But after a month, they said that the impact is still ongoing. Why?
The breach happened in two waves. The first was the malware on the POS devices of the 300 stores. But the second wave happened.
Experts found another strain of malware at other different locations. This new strain has tools that target different POS.
We should note that many franchises use third-party service providers that maintain these POS systems. However, the attackers entered through third-party vendors.
As a result, the credentials of the customers are compromised. Once the hacker installed the malware, they can remotely steal the data. Like remotely swiping the card at the register.
Furthermore, another danger is that hackers can sell the data to the black market.
The stolen data
- It stole valuable information of the cardholders, which includes:
- cardholder names
- credit and debit card numbers
- expiration dates
- cardholder verification numbers
- service codes
The consequences
Here are some consequences that Wendy’s will face.
- commercial loss
- reputational damage
The timeline of Wendy’s data breach
- Late Fall 2015 – malware installed
- January 2016 – credit unions informed Wendy’s
- January 27, 2016 – Wendy’s confirmed the breach
- February 9 – Malware on some locations
- April 2016 – Breach still ongoing
- April 25 – a lawsuit filed against Wendy’s by First Choice Federal Credit Union
- May 11 – malware removed
- Jun 9 – another malware detected
- Jul 7 – total locations totaled to 1,025
How to minimize card fraud
Today, businesses switch to EMV or chip-based cards. It is more secured than the old magnetic stripes. Moreover, EMV cards are harder and more expensive to fake.
Also, others use PIN-based technology to complete card payments. Thus, it informs a bank if someone modified a card or payment transaction.
Additionally, businesses encourage using multi-layered security to protect card users.