Wendy’s Data Breach: Forget the beef, where’s the cyber security?

The scope of the recent Wendy’s data breach, which has already resulted in a class-action lawsuit against the fast-food giant, is about to get much bigger. Krebs on Security reports having received information from “a number of sources in the fraud and banking community” alleging that “that there was no way the Wendy’s breach only affected five percent of stores [as Wendy’s originally reported] — given the volume of fraud that the banks have traced back to Wendy’s customers.” Even worse, these same sources allege that “the breach was still ongoing well after Wendy’s made the five percent claim in May.”

Backed into a corner, Wendy’s finally released a statement to Krebs on Security admitting that the number of locations affected was expected to be “considerably higher” than the approximately 300 originally reported. However, Wendy’s declined to estimate how many locations were involved, citing an ongoing investigation. Interestingly, the company emphasized that the breaches affected only independently owned franchise restaurants, not company-owned locations, and claimed that the breach was the fault of third-party service providers hired by franchisees to service and maintain their POS systems.

If that sounds like Wendy’s is passing the buck, it’s because they are. Rather than taking responsibility for the cyber security shenanigans going on under the Wendy’s banner, Wendy’s is choosing to place the blame on its franchisees and their third-party vendors: “They’re independently owned and operated, so we have no control over what they do!” It remains to be seen whether the courts will side with Wendy’s on this legal hairsplitting, but it’s unlikely that consumers will see things Wendy’s way. To a consumer, a Wendy’s location is a Wendy’s location, regardless of whether the corporation owns it or has franchised it out, and if consumers do not trust that their payment card data is safe at Wendy’s, they’ll stop patronizing their restaurants.

How Could the Wendy’s Data Breach Have Been Prevented?

Wendy’s claims that its POS systems were compromised using credentials stolen from POS service providers; these credentials allowed hackers to remotely access the POS systems. As discussed in a previous blog, there are numerous measures that restaurants and retailers can take to secure their POS systems, including monitoring the system for suspicious activity, such as someone logging in from an unusual location or accessing parts of the system they would have no legitimate reason to. The Wendy’s data breach could have been prevented had the company taken its cyber security seriously and implemented proactive security measures, but the company chose not to. Instead, it chose to pass the buck on its POS security, and then attempt to deflect responsibility onto its franchisees instead of getting out in front of the problem.

This begs the question, is the Wendy’s data breach a harbinger of things to come as the fast-food industry transitions from human clerks to automated ordering kiosks and touch screens? Consumers and the government are not yet asking this question, but if incidents like the Wendy’s data breach multiply, it’s certain they will be.

The core competency of a restaurant is food preparation, not information security, which is why restaurants should partner with a professional cyber security firm such as Lazarus Alliance. The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting retail and restaurant POS systems from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, spear phishing attacks, and other cyber threats, as well as help them get and remain PCI DSS compliant.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your restaurant protect its POS data and ensure compliance with PCI DSS.