Wendy's Point of Sale Hack Grows Bigger

Written by

The scope of the hack-attack on the Wendy’s fast-food chain could be much larger than we previously thought.

In January, Wendy’s spokesperson Bob Bertini told security researcher Brian Krebs that the restaurant group has hired a security firm to look into reports from “payment industry contacts” that it may have been a victim of a serious data breach.

 “We have received this month from our payment industry contacts reports of unusual activity involving payment cards at some of our restaurant locations,” he said at the time. “Reports indicate that fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants. We’ve hired a cybersecurity firm and launched a comprehensive and active investigation that’s underway to try to determine the facts.”

After that investigation, the company said that malware was discovered in the point-of-sale systems of less than 300 franchised restaurants in North America, while 50 more locations were suspected to have experienced a cyber-issue. In mid-May, the company announced in its first quarter financial statement that the fraud impacted just five percent of stores.

But now, it has found additional cases of unusual credit card activity at some of its restaurants, it said, which has led to the discovery of another variant of the malware.

Getting to the meat of the matter, so to speak, Bertini told Krebs last week that the second wave of malware is similar in nature to the original, but different in its execution.

“The attackers used a remote access tool to target a POS system that, as of the May 11th announcement, the company believed had not been affected,” he said. “This malware has been discovered on some franchise restaurants’ POS systems, and the number of franchise restaurants impacted by these cybersecurity attacks is now expected to be considerably higher than the 300 restaurants already implicated.”

The consequences could be extensive: A Pennsylvania credit union recently opened a class-action suit against Wendy's, alleging that the hamburger chain's inadequate security allowed hackers to infiltrate its networks to steal customers' credit and debit card information—for weeks undetected.

First Choice Credit Union’s lawsuit said hackers made “hundreds of thousands of fraudulent purchases” on credit and debit cards issued by various financial institutions after breaching Wendy's computer systems late last year.

Photo © Ken Wolter/Shutterstock.com

What’s hot on Infosecurity Magazine?