Wendy’s Data Breach: Forget the beef, where’s the cyber security?

The scope of the recent Wendy’s data breach, which has already resulted in a class-action lawsuit against the fast-food giant, is about to get much bigger. Krebs on Security reports having received information from “a number of sources in the fraud and banking community” alleging that “that there was no way the Wendy’s breach only affected five percent of stores [as Wendy’s originally reported] — given the volume of fraud that the banks have traced back to Wendy’s customers.” Even worse, these same sources allege that “the breach was still ongoing well after Wendy’s made the five percent claim in May.”

Backed into a corner, Wendy’s finally released a statement to Krebs on Security admitting that the number of locations affected was expected to be “considerably higher” than the approximately 300 originally reported. However, Wendy’s declined to estimate how many locations were involved, citing an ongoing investigation. Interestingly, the company emphasized that the breaches affected only independently owned franchise restaurants, not company-owned locations, and claimed that the breach was the fault of third-party service providers hired by franchisees to service and maintain their POS systems.

If that sounds like Wendy’s is passing the buck, it’s because they are. Rather than taking responsibility for the cyber security shenanigans going on under the Wendy’s banner, Wendy’s is choosing to place the blame on its franchisees and their third-party vendors: “They’re independently owned and operated, so we have no control over what they do!” It remains to be seen whether the courts will side with Wendy’s on this legal hairsplitting, but it’s unlikely that consumers will see things Wendy’s way. To a consumer, a Wendy’s location is a Wendy’s location, regardless of whether the corporation owns it or has franchised it out, and if consumers do not trust that their payment card data is safe at Wendy’s, they’ll stop patronizing their restaurants.

How Could the Wendy’s Data Breach Have Been Prevented?

Wendy’s claims that its POS systems were compromised using credentials stolen from POS service providers; these credentials allowed hackers to remotely access the POS systems. As discussed in a previous blog, there are numerous measures that restaurants and retailers can take to secure their POS systems, including monitoring the system for suspicious activity, such as someone logging in from an unusual location or accessing parts of the system they would have no legitimate reason to. The Wendy’s data breach could have been prevented had the company taken its cyber security seriously and implemented proactive security measures, but the company chose not to. Instead, it chose to pass the buck on its POS security, and then attempt to deflect responsibility onto its franchisees instead of getting out in front of the problem.

This begs the question, is the Wendy’s data breach a harbinger of things to come as the fast-food industry transitions from human clerks to automated ordering kiosks and touch screens? Consumers and the government are not yet asking this question, but if incidents like the Wendy’s data breach multiply, it’s certain they will be.

The core competency of a restaurant is food preparation, not information security, which is why restaurants should partner with a professional cyber security firm such as Lazarus Alliance. The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting retail and restaurant POS systems from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, spear phishing attacks, and other cyber threats, as well as help them get and remain PCI DSS compliant.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your restaurant protect its POS data and ensure compliance with PCI DSS.

When contracting with a service provider, such as a data center, it is important for companies to ensure that their provider possesses the cyber security-related certifications and compliance standards that are applicable to the company’s industry. Data centers, as well as service providers who contract with data centers, sometimes claim to be “SSAE 16” certified. In an effort to cut through the noise and clear up some of the confusion regarding SSAE 16 compliance, Lazarus Alliance would like to clarify what SSAE 16 compliance is—and isn’t.

What is SSAE 16?

SSAE 16 is an internationally recognized auditing standard for service organizations. It was developed by the American Institute of Certified Public Accountants (AICPA) and replaces the previous standard, SAS 70. SSAE 16 reporting helps service organizations comply with the requirements of Sarbanes Oxley (section 404) to demonstrate effective internal controls covering financial reporting. SSAE 16 applies to data centers that host systems that are involved in their clients’ financial reporting, as well as web hosting providers, ASPs, and ISPs who perform services that are relevant to their clients’ financial reporting.

There are three types of reports that can be issued: an SOC 1, an SOC 2, or an SOC 3, all of which address different controls. Performing an SSAE 16 audit and issuing an SOC report demonstrates a service provider’s commitment to maintaining a sound control environment that protects their clients’ data and confidential information.

Some service providers who use SSAE 16-compliant data centers imply that they are, somehow, SSAE 16 compliant by proxy. This is not the case; just because you use a provider who is SSAE 16 compliant does not mean that your company is SSAE compliant, and to imply such is black-hat marketing.

There is No Such Thing as SSAE 16 “Certification”

A Google search on “SSAE 16” reveals numerous instances of companies claiming to be “SSAE 16 Certified.” Organizations are compliant with SSAE 16; there is no such thing as becoming “SSAE certified.” SSAE 16 has to do with issuing SOC reports; no “certification” is awarded to anyone. Beware of any service provider that claims to possess an SSAE 16 “certification” or purports to be working towards getting one.

Need SSAE 16 Compliance Auditing Services?

If you have questions about SSAE 16, or if your company needs SSAE 16 auditing services, Lazarus Alliance can help! Depending on your team’s availability, our SSAE 16 audit process initially takes just a few weeks from start to completion. We realize that our clients have full-time, everyday obligations in addition to dealing with auditors, so we will be happy to work around your schedule and provide a quality audit and report in the time frame you desire.

Lazarus Alliance’s primary purpose is to help organizations attain, maintain, and demonstrate compliance and information security excellence in all jurisdictions. Lazarus Alliance specializes in IT security, risk, privacy, governance, cyberspace law, and compliance leadership solutions and is fully dedicated to global success in these disciplines. Learn more about Lazarus Alliance and why Lazarus Alliance is Proactive Cyber Security™!

Following a string of high-profile incidents that began earlier this year, the healthcare industry has been highly focused on preventing ransomware attacks. IoT security has also emerged as a growing concern. However, healthcare organizations (as well as businesses in other industries) cannot afford to ignore another growing threat: spear phishing.

Like regular phishing, spear phishing involves sending legitimate-looking but fraudulent emails asking users to provide sensitive information and/or initiate wire transfers. However, while regular phishing emails are sent out en masse to the general public, spear phishing emails are highly targeted and sent to specific, predetermined victims, usually a small group of people working at a specific company.

In a recent press release, the Federal Bureau of Investigation warned of a dramatic rise in a type of spear phishing known as a “CEO email scam” or a “business email compromise scam.” According to the FBI, from October 2013 to February 2016, law enforcement identified 17,642 victims, totaling $2.3 billion in losses. Since January 2015, reports of spear phishing have increased by 270%.

Main Line Health Attack Proves that Employee Data Is at Risk

In February 2016, while everyone’s attention was focused on the Hollywood Presbyterian ransomware attack, Main Line Health, which operates four hospitals near Philadelphia, was hit by a spear phishing scheme. Emails were sent to employees, purportedly from the organization’s CEO and CFO, requesting employee payroll and W2 information. While some employees immediately realized the emails were fraudulent and reported them to management, at least one employee was tricked into sending the requested information to the hacker. As a result, Main Line Health had to notify its employees that their personal information may have been compromised and offer them free credit counseling and monitoring services.

When healthcare organizations think about cyber security, they usually focus on patient data protection. However, the hackers who compromised Main Line Health were not seeking to infiltrate patient data, but employee data, and the attack may have been connected to a very large spear phishing scheme targeting HR and payroll professionals in various industries nationwide. It is suspected that the hackers running the scheme intended to use the stolen data to file fraudulent tax returns.

How to Protect Against Spear Phishing

Email spam filters can be adjusted to recognize emails from suspicious sources and block them before they reach employees’ inboxes. However, some phishing emails will undoubtedly still get through. The best way to protect against spear phishing is to teach employees how to recognize the telltale signs of a spear phishing email, such as:

• The salutation and/or the closing seem odd. For example, management normally refers to you as “William” or “Mr. Doe,” but the email is addressed to “Bill.” In the case of Main Line Health, the closing is what alerted one employee to the fraud; the email message, which purported to be from the CEO, was signed “John Lynch,” but the employee knew that the company’s CEO goes by “Jack.”
• The request is unusual and/or does not follow normal company protocol. For example, the email is asking for employee W2 information, but requests like this are not normally handled through email or by the employee who received the request, or the person who allegedly sent the email has never requested similar information before, or it’s unusual for the person who allegedly sent the email to directly contact that particular employee.
• The wording and tone of the email are stilted. Many spear phishing attacks are launched by foreign hackers who are not fluent in English; the email may be riddled with punctuation, spelling, or grammar errors, be worded oddly, or use British spelling. The wording may also be overly formal – or overly casual.
• The domain the email was sent from is incorrect. Instead of “yourcompany.com,” the email may have been sent from “yourcompany.com-xyz.com” or some other derivative.

Employees should be taught that if something seems “off” about an email, they should consult a supervisor or IT security personnel before responding to it. Additionally, as part of your organization’s overall cyber security plan, a firm protocol should be established regarding requests for sensitive employee and patient data, and employees should be trained not to release sensitive data unless the protocol is followed.

In addition to using email spam filters to intercept suspicious messages, training employees to spot spear phishing emails, and implementing a solid security plan that includes protocol for the release of sensitive data, it’s a good idea for healthcare facilities to enlist the services of a professional cyber security firm such as Lazarus Alliance. The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your healthcare organization from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect hospitals and other healthcare organizations from data breaches, ransomware, and spear phishing attacks.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 or book some time with us to discuss your organization’s cyber security needs and find out how we can help your organization protect your patient and employee data.