Even more fast-food patrons may have a beef with The Wendy's Company, after the restaurant chain announced yesterday that the total number of restaurants affected by a point-of-sale data breach discovered last February may be “considerably higher” than originally thought.
Wendy's had previously reported in May that the malware found on certain franchised locations' POS systems affected fewer than 300 North American locations, with another 50 locations also suspected of experiencing unspecified cybersecurity issues. Victims who purchased food at these locations had their payment card data stolen and used fraudulently at other merchants.
However, according to a new press statement from Wendy's, further investigation into the incident has turned up a variant that is “similar in nature to the original but different in its execution.” This variant, which Wendy's described as “extremely difficult to detect,” was uploaded via a remote access tool to a second POS system that was not previously known to be infected. Though Wendy's did not provide any figures, the company did admit that the total number of victimized franchise restaurants is now much higher than once thought.
Wendy's emphasized that no company-operated restaurants appear to be impacted, and explained that the franchise locations were likely affected as a result of attackers stealing credentials from third-party service providers who help maintain and support franchisees' POS systems.
Adam Levin, chairman and founder of identity theft firm IDT911, was critical of Wendy's statement. “Wendy's is quick to deflect blame and point the finger at franchisees and third-party service providers, and continues to make excuses by claiming the malware used by attackers is ‘highly sophisticated' and ‘extremely difficult to detect,'” said Levin in a statement provided to SCMagazine.com. “By downplaying the severity of the breach, Wendy's runs the risk of further compromising its reputation and has put tens of thousands of consumers in jeopardy.”
Jonathan Cran, vice president of operations at cybersecurity crowdsourcing service Bugcrowd, added in his own statement to SCMagazine.com, “It's surprising we don't see more follow-on breach announcements like this. Once an attacker is in and laterally moving throughout the network, it can be very difficult to fully contain and remove their access. Attackers are going after sources of magnetic stripe credit card data as consumers move to EMV "chip" cards. While EMV was not designed to prevent malware (ram scraper) attacks, in practicality, these cards would probably have protected consumers in this case."