igor - Fotolia
Wendy’s fast-food chain has revealed that cyber attackers used compromised third-party credentials to install malware at 20% of its US stores to steal customer credit card details.
The company said it had conducted a “rigorous” investigation to understand the “highly sophisticated” criminal cyber attacks.
Wendy’s first reported unusual payment card activity affecting some restaurants in February 2016, and confirmed in May that malware has been installed at less than 6% of its US franchised restaurants.
But in June, the company discovered data-stealing malware at more US locations, which means that around 1,025 of its US franchised stores have been affected, according to the Wall Street Journal.
Underlining the reputational and other damage caused by data breaches, the paper said Wendy’s is facing lawsuits against the company seeking class-action status and the company’s share price has fallen by 13% in the past three months.
Highlighting the risk posed by third-party suppliers, Wendy’s said in a statement that the intrusions had resulted from service providers’ remote access credentials being compromised.
This had allowed the attackers access and the ability to deploy malware to some franchisees’ point-of-sale systems, which is a popular way of stealing payment card data, with several hotel and retail chains being targeted in this way in the past few years, including US retailer Target.
“We recommend that you remain vigilant for incidents of fraud and identity theft by reviewing credit card account statements and monitoring your credit report for unauthorised activity,” the company said.
Wendy’s has set up a website for customers to check if they were potential victims, and is offering a year’s fraud consultation and identity restoration services to affected customers.
“In a world where malicious cyber attacks have unfortunately become all too common for merchants, we are committed to doing what is necessary to protect our customers,” said Wendy's president and CEO Todd Penegor in a statement.
“We will continue to work diligently with our investigative team to apply what we have learned from these incidents and further strengthen our data security measures. Thank you for your continued patience, understanding and support,” he added.
Read more about supply chain security
- Business is increasingly recognising the importance of information security, but information security within supply chains is still widely overlooked
- A comprehensive security strategy must include the supply chain
- The UK government will require IT suppliers to comply with the five security controls laid out in its Cyber Essential Scheme
- A new mobile trojan dubbed 'DeathRing' is being pre-loaded on to smartphones somewhere in the supply chain, warn researchers
The cyber attack on Wendy’s provides several lessons for businesses, according to independent security advisor Graham Cluley.
“If you must give service providers access to your network, insist upon strong password policies (for instance, unique, hard-to-crack passwords for each login) and additional levels of authentication to reduce the chances of hacker exploitation,” he wrote in a blog post.
Cluley also advises businesses to limit what suppliers can do on their network by keeping access to the absolute minimum that they require to do their job and to monitor all network access.
“Require your third-party suppliers and partners to comply with baseline security procedures. If you don’t feel confident that they can meet your standards, don’t give them access to any part of your network,” he said.