igor - Fotolia

Wendy’s hackers used third-party credentials to steal credit card data

Wendy's fast-food chain has confirmed hackers used third party credentials to plant malware to steal credit card details and reveals that three times as many stores were affected than initially thought

Wendy’s fast-food chain has revealed that cyber attackers used compromised third-party credentials to install malware at 20% of its US stores to steal customer credit card details.

The company said it had conducted a “rigorous” investigation to understand the “highly sophisticated” criminal cyber attacks.

Wendy’s first reported unusual payment card activity affecting some restaurants in February 2016, and confirmed in May that malware has been installed at less than 6% of its US franchised restaurants.

But in June, the company discovered data-stealing malware at more US locations, which means that around 1,025 of its US franchised stores have been affected, according to the Wall Street Journal.

Underlining the reputational and other damage caused by data breaches, the paper said Wendy’s is facing lawsuits against the company seeking class-action status and the company’s share price has fallen by 13% in the past three months.

Highlighting the risk posed by third-party suppliers, Wendy’s said in a statement that the intrusions had resulted from service providers’ remote access credentials being compromised.

This had allowed the attackers access and the ability to deploy malware to some franchisees’ point-of-sale systems, which is a popular way of stealing payment card data, with several hotel and retail chains being targeted in this way in the past few years, including US retailer Target.

“We recommend that you remain vigilant for incidents of fraud and identity theft by reviewing credit card account statements and monitoring your credit report for unauthorised activity,” the company said.

Wendy’s has set up a website for customers to check if they were potential victims, and is offering a year’s fraud consultation and identity restoration services to affected customers.

“In a world where malicious cyber attacks have unfortunately become all too common for merchants, we are committed to doing what is necessary to protect our customers,” said Wendy's president and CEO Todd Penegor in a statement.

“We will continue to work diligently with our investigative team to apply what we have learned from these incidents and further strengthen our data security measures. Thank you for your continued patience, understanding and support,” he added.

Read more about supply chain security

The cyber attack on Wendy’s provides several lessons for businesses, according to independent security advisor Graham Cluley.

“If you must give service providers access to your network, insist upon strong password policies (for instance, unique, hard-to-crack passwords for each login) and additional levels of authentication to reduce the chances of hacker exploitation,” he wrote in a blog post.

Cluley also advises businesses to limit what suppliers can do on their network by keeping access to the absolute minimum that they require to do their job and to monitor all network access.

“Require your third-party suppliers and partners to comply with baseline security procedures. If you don’t feel confident that they can meet your standards, don’t give them access to any part of your network,” he said.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Sure, why not, every other chain has already been hacked. There is a fundamental problem with data security; patching it here and there will do little to solve it. I wonder how much we have to lose before we get serious about a solution.
Cancel
That is why I use cash for small purchases. Granted I get dirty looks at some restaurants when I told them I do not want to use their kiosk on the table to pay my bill. It would be to easy for a customer to tamper with the device. How are these companies getting hacked the most internally or external? I sill do not bank electronically, use a smartphone to pay for anything (don't even own one). To many possibilities for my info to be compromised.
Cancel
These types of thefts are going to become more and more common as thieves adjust to take advantage of soft targets.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close