'Where's the Breach?'Wendy's Investigates Suspected Payment Card Fraud
See Also: Autonomous Response: Threat Report
Wendy's, which bills itself as "the world's third largest quick-service hamburger company," says it has more than 6,500 corporate-owned and franchised locations worldwide, although it doesn't yet know how extensive the suspected breach might be. But multiple card issuers tell Information Security Media Group that the breach appears to be limited to just some U.S. regions.
"Wendy's is currently investigating reports of unusual activity involving payment cards at some restaurant locations," spokesman Bob Bertini tells ISMG. "Reports indicate fraudulent charges may have occurred elsewhere after payment cards were legitimately used at some restaurants."
Wendy's has also not yet said if it suspects that point-of-sale malware was behind the attack, or if payment card data might have stolen in some other manner. Likewise, there's no indication of how many locations might be affected, and if the breach involves both its corporate-owned restaurants - located only in the United States - and its U.S. and global franchised locations.
To help answer those questions, the restaurant chain says it's brought in a third-party incident response team to investigate the suspected breach. "We have been working with our payment industry contacts since recently learning of these reports, and we have launched a comprehensive investigation with the help of cybersecurity experts to gather facts, while working to protect our customers," Bertini says. "We also are fully cooperating with law enforcement authorities. Until this investigation is completed, it is difficult to determine with certainty the nature or scope of any potential incident."
News of the Wendy's breach probe was first reported by security blogger Brian Krebs, based on reports from multiple card issuers that had traced fraud to cards that were used at Wendy's.
West Coast Fraud: Confirmed
But the Wendy's breach doesn't appear to involve all of its U.S. locations. One Midwest card issuer tells ISMG that it has seen no fraud linked to payment cards used at Wendy's. Two other card issuers located on the West Coast, however, say they have seen some fraud linked to Wendy's - very limited in scope - leading one issuer to suspect that the breach is very geographically based.
The other card issuer, meanwhile, says there appears to be extensive commingling between the Wendy's breach and other breaches, and also that a timeframe for these attacks has yet to be established. The issuer adds that no related Compromised Account Management System - better known as CAMS - alerts from payment card brands tied to the breach have been issued. Card brands use these alerts to directly warn card issuers of specific accounts that they believe were compromised by attackers.
"I am hoping some publicity suggests the brands will be putting out some CAMS alerts with date ranges," the issuer says.
The safe bet for now, however, is that anyone in the United States - and potentially Canada - who has used a payment card at Wendy's in the past 12 months or so should keep their eyes peeled for signs of fraud. "As always, in line with prudent personal financial management, we encourage our customers to be diligent in watching for unauthorized charges on their payment cards," Bertini from Wendy's says. "Generally, individuals that report unauthorized charges in a timely manner, to the bank that issued their card, are not responsible for those charges."
"Where's the Beef?"
Restaurant Breach Epidemic
The spate of restaurant-related breaches has seemed nonstop since restaurant chain P.F. Chang's China Bistro warned in mid-2014 that it suffered a POS malware attack that compromised dozens of locations. Almost two years later, news of the suspected Wendy's breach now begs the question of which restaurateurs, hoteliers and retailers haven't yet been breached, and their systems infected with card-stealing POS malware.
While big names such as Wendy's seem to be regular breach victims, fraud experts say that cybercrime rings are also diversifying their efforts and increasingly targeting smaller, regional restaurant chains.
The U.S. shift to EMV might help block more breaches, security experts say, although full EMV compliance remains years away. With no easy breach respite in site, experts say that more security-savvy consumers might make a move to ditch plastic in favor of alternatives, such as Apple Pay, that promise stronger protection. To help make that happen, however, Al Pascual, director of fraud and security at Javelin Strategy & Research, says restaurants must pay to upgrade their POS terminals. "Going with a contactless EMV terminal would accommodate growing use of mobile-proximity payments like Apple Pay, which will represent 1.3 billion total transactions in the U.S. by 2019, and reduce the risk of breaches, as EMV data is significantly less attractive to compromise."
The same advice goes for the hospitality sector, which handles numerous payment cards and which has also become a cybercriminal attack magnet. This month, Hyatt Hotels announced that the breach it discovered in Nov. 2015 involved POS malware that was installed by attackers at 250 of its locations across 50 countries. Hyatt has yet to detail how many cardholders - or payment cards - were affected by the breach.
Hyatt's warning follows in the wake of numerous other hotels finding that they too had been breached, including Starwood Hotels and Resorts, which warned in Nov. 2015 that it had suffered a POS malware breach and Hilton, which warned the same month that it suffered intermittent POS malware breaches throughout 2014 and 2015. That followed Trump Hotels warning in September that it likely suffered a year-long breach that began in May 2014 and which it didn't discover until June 2015.
Executive Editor Tracy Kitten also contributed to this story.