BreachExchange mailing list archives
Wendy’s: Where’s The Breach?!
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 28 Jan 2016 09:14:24 -0700
https://www.riskbasedsecurity.com/2016/01/wendys-wheres-the-breach/ Early in the day on January 27th, news broke that Wendy’s was investigating what was described as “unusual activity” involving payment cards used in some of their restaurants. The investigation is still in it’s early stages and while no breach has yet been confirmed, early signs point to a possible compromise of the point of sale system – or systems –used throughout the Midwest and East Coast. Wendy’s was alerted to a possible situation earlier this month by “payment industry contacts” when fraudulent charges began appearing on cardholder accounts after legitimate payments were made at the restaurants. At this point, there is no indication of how the breach took place, the scope of the event or which locations were impacted. As of yesterday, there was still no confirmation the event had even been contained. Many data breaches are complex in nature and take time to fully investigate. That said, the fact that banks and payment industry insiders have linked fraudulent activity to prior purchases at Wendy’s; Wendy’s decision to bring in outside security experts to assist with the investigation and the involvement of law enforcement all point to a serious compromise of a point-of-sale system. Fast food restaurants are no strangers to the risk of credit card theft. A quick analysis of data breaches collected inCyber Risk Analytics shows McDonald’s, Taco Bell, Burger King and Hardee’s have all experienced at least one data loss event in recent years. When looking at McDonald’s in the US, we found nine incidents between 2010 and today, with seven (77.7%) of those coming from employee’s using card skimming devices to capture customer payment card data. Next, we looked at Taco Bell and found six total data breach incidents. All six events targeted the theft of payment card data by insiders and much like McDonald’s experience, 4 of the 6 (66.6%) breaches involved the use of a skimming device. Burger King and Hardee’s have fared somewhat better than the competition. Hardee’s reported only one incident – yet another employee targeting customer cards but this time by simply photographing the cards once they were handed over for payment at the drive through. Burger King has disclosed just two incidents, a 2012 employee card skimming incidents and just last December, a malware infection at a Wauastosa, WI franchisee resulted in the compromise of over 1,000 customer cards. When reviewing Wendy’s, we found that this wasn’t their first data breach as there have been some issues in the past, and you guessed it we found six total breaches. But even more surprising was that none of the data breaches were due to Skimming. Given the information known to date about the most recent Wendy’s breach, the first thing that comes to mind is a possible compromise of the Point of Sale (PoS) systems. We posted last month about the rash of PoS compromise events at multiple hotel chains. So, naturally, we start to suspect the same here and did some digging after the Wendy’s breach was announced. What type of PoS does Wendy’s have? A quick Google search shows that it isn’t 100% clear which PoS systems are being used by Wendy’s and if all franchisee have the same systems in place. It appears Wendy’s corporation has approved various vendors that could be used by their franchise holders. In 2009, WAND NextGen announced their POS system had been approved for use by Wendy’s International, as well as another approved provider NCR Corp, giving franchise operators the opportunity to order and deploy the NCR RealPOS 70XRT. In 2010, Radiant System announced they had been selected as the Point of Sale Technology provider for the 1,500+ Arby’s locations, then owned by the Wendy’s/Arby’s Group, and was an approved POS provider for another 2,200+ Arby’s franchisees. In looking at the WAND website there isn’t much mention of security as part of the offering, but it is very interesting to see that there is a quote from Tom Schmitz of Wendy’s Fourcown saying that they have saved thousands of dollars utilizing the features, and highlights their security. “We have saved thousands of dollars utilizing the food inventory, labor tracking, cash accountability, and security features that WAND provides. ” - Tom Schmitz, Wendy’s Fourcrown, Inc. If the PoS is in fact the issue, then it will be especially interesting to learn if the event impacts Arby’s as well. Shortly after Wendy’s implemented the PoS system, WAND Corporation anounced its successful install of a NextGen POS solution with Carisch, Inc., an Arby’s franchisee. As a quick side note, Wendy’s announced on July 5, 2011 that it had completed the sale of Arby’s Restaurant Group, Inc. to a buyer formed by Roark Capital Group, effective as of July 4, 2011. At the end of 2014, Nemanja, a botnet of thousand POSs, Grocery Management and Accounting Systems was identified. In looking down the list of compromised vendor systems, we see multiple vendor products that could have been deployed at Wendy’s. The Franchisee and Franchisor relationship has long been a curious relationship when it comes to data breaches. While most franchisors do not mandate the use of specific systems or vendors, they do maintain close control over the “approved” provider list. Certainly this creates many systemic risk concerns that a breach at one franchisee could open the door to additional breaches across multiple franchise operators. Or, when franchisee systems are directly connected with the franchisor, would it be possible for hackers to work downstream, potentially impacting all of the franchisees? It has been reported that early indications of the Wendy’s breach initially came from banking industry sources, mainly financial institutions in the midwest. However, it may be larger than that as there are now similar reports from banks on the east coast on the United States. It will remain to be seen what actually caused this breach – and how far it will go, as the Wendy’s system includes approximately 6,500 franchise and company-operated restaurants in the United States and 28 countries and U.S. territories worldwide. When a breach like Wendy’s comes out, it takes the large majority of news cycle attention. After all, nearly everyone can relate to the fast food experience. But at the same time, there are other breaches taking place and some would argue have the potential of doing much more damage. While news of the Wendy’s incident filled the media pipeline, website administration firm cPanel quietly informed their customers they had been hacked over the weekend, potentially exposing contact information in the process. It appears that customers’ names, contact details, and encrypted (and salted) passwords were publicly aired due to a series of unfortunate events. A copy of the notice sent to customers can be found here: “Although we successfully interrupted the breach, it is still possible that user contact information may have been susceptible.” “The customer contact information that may have been susceptible is limited to names, contact information, and encrypted (and salted) passwords. Please note that our credit card information is stored in a separate system designed for credit card storage and is not impacted by this possible breach.” “Although current passwords are stored salted and encrypted, we are accelerating our move to stronger password encryption at the same time in order to minimize disruption. In order to safeguard the system, we will force all users with older password encryption to change their passwords” Breaches of payment card data are costly, disruptive events. But they are also relatively contained in the sense that cards can be cancelled, systems restored and the damage contained. Breaches like the one at cPanel can linger for much longer, with the impact felt well into the future. Malicious actors now know who is using cPanel, giving them a key piece of information for launching spear phishing attacks. Considering that cPanel holds the keys to the administration of an untold number of websites, certainly this type of user information alone has value to potential attackers. As with all data breaches, information that comes out in the early stages is usually an incomplete view, and there is a lot of posturing by the companies impacted to minimize the potential impact. It remains to be seen how wide reaching both the Wendy’s and cPanel data breaches actually are in the end.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which vendors to trust. Contact us today for a demo.
Current thread:
- Wendy’s: Where’s The Breach?! Audrey McNeil (Jan 28)