A Pennsylvania credit union has opened a class-action suit against Wendy's, alleging the hamburger chain's inadequate security allowed hackers to infiltrate its networks to steal customers' credit and debit card information—for weeks undetected.
First Choice Credit Union’s lawsuit said hackers made “hundreds of thousands of fraudulent purchases” on credit and debit cards issued by various financial institutions after breaching Wendy's computer systems late last year.
In January, Wendy’s spokesperson Bob Bertini told security researcher Brian Krebs that the restaurant group has hired a security firm to look into reports from “payment industry contacts” that it may have been a victim of a serious data breach.
“We have received this month from our payment industry contacts reports of unusual activity involving payment cards at some of our restaurant locations,” he said at the time. “Reports indicate that fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants. We’ve hired a cybersecurity firm and launched a comprehensive and active investigation that’s underway to try to determine the facts.”
George Rice, senior director of payments for HPE Security - Data Security, told Infosecurity that the lawsuit should be a warning to other retailers.
“In addition to consumer restitution, industry fines and corporate brand damage, the financial consequences of PCI data breaches now routinely include the costs of defending against lawsuits brought by affected parties and any resulting judgements,” he said. “Security-deficient merchants will find it difficult to defend themselves against such lawsuits when powerful data security solutions are readily available on the market. Solutions such as point-to-point encryption and tokenization allow for the protection of sensitive data from the moment of acceptance and throughout its lifecycle in the organization.
Retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale.
“And unfortunately, PoS systems are often the weak link in the chain—they should be isolated from other networks, but often are connected,” said Rice. “A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.”
Photo © Ken Wolter/Shutterstock.com