Wendy’s: Where’s The Breach?!

[Audrey McNeil <audrey () riskbasedsecurity com>]

https://www.riskbasedsecurity.com/2016/01/wendys-wheres-the-breach/

Early in the day on January 27th, news broke that Wendy’s was investigating
what was described as “unusual activity” involving payment cards used in
some of their restaurants. The investigation is still in it’s early stages
and while no breach has yet been confirmed, early signs point to a possible
compromise of the point of sale system – or systems –used throughout the
Midwest and East Coast. Wendy’s was alerted to a possible situation earlier
this month by “payment industry contacts” when fraudulent charges began
appearing on cardholder accounts after legitimate payments were made at the
restaurants.

At this point, there is no indication of how the breach took place, the
scope of the event or which locations were impacted.  As of yesterday,
there was still no confirmation the event had even been contained. Many
data breaches are complex in nature and take time to fully investigate.
That said, the fact that banks and payment industry insiders have linked
fraudulent activity to prior purchases at Wendy’s; Wendy’s decision to
bring in outside security experts to assist with the investigation and the
involvement of law enforcement all point to a serious compromise of a
point-of-sale system.

Fast food restaurants are no strangers to the risk of credit card theft. A
quick analysis of data breaches collected inCyber Risk Analytics shows
McDonald’s, Taco Bell, Burger King and Hardee’s have all experienced at
least one data loss event in recent years. When looking at McDonald’s in
the US, we found nine incidents between 2010 and today, with seven (77.7%)
of those coming from employee’s using card skimming devices to capture
customer payment card data.

Next, we looked at Taco Bell and found six total data breach incidents.
All six events targeted the theft of payment card data by insiders and much
like McDonald’s experience, 4 of the 6 (66.6%) breaches involved the use of
a skimming device.

Burger King and Hardee’s have fared somewhat better than the competition.
Hardee’s reported only one incident – yet another employee targeting
customer cards but this time by simply photographing the cards once they
were handed over for payment at the drive through. Burger King has
disclosed just two incidents, a 2012 employee card skimming incidents and
just last December, a malware infection at a Wauastosa, WI franchisee
resulted in the compromise of over 1,000 customer cards.

When reviewing Wendy’s, we found that this wasn’t their first data breach
as there have been some issues in the past, and you guessed it we found six
total breaches.  But even more surprising was that none of the data
breaches were due to Skimming.

Given the information known to date about the most recent Wendy’s breach,
the first thing that comes to mind is a possible compromise of the Point of
Sale (PoS) systems.  We posted last month about the rash of PoS compromise
events at multiple hotel chains.   So, naturally, we start to suspect the
same here and did some digging after the Wendy’s breach was announced.

What type of PoS does Wendy’s have?

A quick Google search shows that it isn’t 100% clear which PoS systems are
being used by Wendy’s and if all franchisee have the same systems in
place.  It appears Wendy’s corporation has approved various vendors that
could be used by their franchise holders.

In 2009, WAND NextGen announced their POS system had been approved for use
by Wendy’s International, as well as another approved provider NCR Corp,
giving franchise operators the opportunity to order and deploy the NCR
RealPOS 70XRT.

In 2010, Radiant System announced they had been selected as the Point of
Sale Technology provider for the 1,500+ Arby’s locations, then owned by the
Wendy’s/Arby’s Group, and was an approved POS provider for another 2,200+
Arby’s franchisees.

In looking at the WAND website there isn’t much mention of security as part
of the offering, but it is very interesting to see that there is a quote
from Tom Schmitz of Wendy’s Fourcown saying that they have saved thousands
of dollars utilizing the features, and highlights their security.

“We have saved thousands of dollars utilizing the food inventory, labor
tracking, cash accountability, and security features that WAND provides. ”

- Tom Schmitz, Wendy’s Fourcrown, Inc.

If the PoS is in fact the issue, then it will be especially interesting to
learn if the event impacts Arby’s as well.  Shortly after Wendy’s
implemented the PoS system, WAND Corporation anounced its successful
install of a NextGen POS solution with Carisch, Inc., an Arby’s franchisee.
As a quick side note, Wendy’s announced on July 5, 2011 that it had
completed the sale of Arby’s Restaurant Group, Inc. to a buyer formed by
Roark Capital Group, effective as of July 4, 2011.

At the end of 2014, Nemanja, a botnet of thousand POSs, Grocery Management
and Accounting Systems was identified.  In looking down the list of
compromised vendor systems, we see multiple vendor products that could have
been deployed at Wendy’s.

The Franchisee and Franchisor relationship has long been a curious
relationship when it comes to data breaches.  While most franchisors do not
mandate the use of specific systems or vendors, they do maintain close
control over the “approved” provider list. Certainly this creates many
systemic risk concerns that a breach at one franchisee could open the door
to additional breaches across multiple franchise operators.  Or, when
franchisee systems are directly connected with the franchisor, would it be
possible for hackers to work downstream, potentially impacting all of the
franchisees?

It has been reported that early indications of the Wendy’s breach initially
came from banking industry sources, mainly financial institutions in the
midwest.   However, it may be larger than that as there are now similar
reports from banks on the east coast on the United States.  It will remain
to be seen what actually caused this breach – and how far it will go, as
the Wendy’s system includes approximately 6,500 franchise and
company-operated restaurants in the United States and 28 countries and U.S.
territories worldwide.

When a breach like Wendy’s comes out, it takes the large majority of news
cycle attention. After all, nearly everyone can relate to the fast food
experience. But at the same time, there are other breaches taking place and
some would argue have the potential of doing much more damage.

While news of the Wendy’s incident filled the media pipeline, website
administration firm cPanel quietly informed their customers they had been
hacked over the weekend, potentially exposing contact information in the
process.  It appears that customers’ names, contact details, and encrypted
(and salted) passwords were publicly aired due to a series of unfortunate
events.

A copy of the notice sent to customers can be found here:

“Although we successfully interrupted the breach, it is still possible that
user contact information may have been susceptible.”

“The customer contact information that may have been susceptible is limited
to names, contact information, and encrypted (and salted) passwords. Please
note that our credit card information is stored in a separate system
designed for credit card storage and is not impacted by this possible
breach.”

“Although current passwords are stored salted and encrypted, we are
accelerating our move to stronger password encryption at the same time in
order to minimize disruption. In order to safeguard the system, we will
force all users with older password encryption to change their passwords”

Breaches of payment card data are costly, disruptive events. But they are
also relatively contained in the sense that cards can be cancelled, systems
restored and the damage contained. Breaches like the one at cPanel can
linger for much longer, with the impact felt well into the future.
Malicious actors now know who is using cPanel, giving them a key piece of
information for launching spear phishing attacks. Considering that cPanel
holds the keys to the administration of an untold number of websites,
certainly this type of user information alone has value to potential
attackers.

As with all data breaches, information that comes out in the early stages
is usually an incomplete view, and there is a lot of posturing by the
companies impacted to minimize the potential impact.  It remains to be seen
how wide reaching both the Wendy’s and cPanel data breaches actually are in
the end.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.