Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
CUSTOMER RELATIONSHIP MANAGEMENT NEWS. UPDATED 9 MINUTES AGO.
You are here: Home / Customer Data / Wendy's Investigating Data Breach
Wendy's Investigating Possible POS Data Breach
Wendy's Investigating Possible POS Data Breach
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
JANUARY
27
2016
The trend of cyberattackers targeting retail and fast-food chains is continuing in 2016. Nationwide fast-food chain Wendy’s is the latest to announce it is investigating a possible credit card breach stemming from its POS (point-of-sale) system.

"Reports indicate fraudulent charges may have occurred elsewhere after payment cards were legitimately used at some restaurants," Wendy's spokesman Bob Bertini told Reuters. "Until this investigation is completed, it is difficult to determine with certainty the nature or scope of any potential incident. We have hired a cybersecurity firm to assist, but are not disclosing the name at this point."

The brand name is different, but the story is much the same. It seems the attack focused on individual stores and the malware was planted in POS systems to gather credit card numbers, according to KrebsonSecurity, which broke the news. Other restaurants and retailers that have been hit in a similar fashion include Jimmy John’s, Landry’s, P.F. Chang’s, Dairy Queen, Chick-fil-A, retail giant Target and Home Depot.

“Old POS systems are easy to compromise,” Simon Crosby, CTO of endpoint security firm Bromium, told us. “They are often unpatched, and typically run POS software that requires admin privileges, so an attacker can easily run whatever code they please."

What Retailers Should Do

Wendy’s could not immediately be reached for comment, but Jonathan Cran, VP of operations at bug bounty platform Bugcrowd, said one of the most important things to note is that it's often a merchant bank or individual cardholder working in collaboration with a reporter to disclose the issue publicly.

“This either indicates that the organizations are either withholding or, more likely, have limited or no knowledge of the breach,” Cran said. “Given the distributed nature of these systems, and the lack of tooling, the breaches are difficult to detect prior to exfiltration of the information.”

Travis Smith, senior security research engineer at advanced threat detection firm Tripwire, said that security is often an afterthought on point of sale systems. Although details of the Wendy's breach are not yet publicly known, there are some quick steps that organizations with point-of-sale devices can take to protect their customers at little to no cost, he said.

“Most of the credit card stealing malware sends the customer card data to a location on the Internet. Lock down the point of sale devices to prevent them from accessing the Internet,” Smith said. “Second, these devices typically have little to no change outside of known change windows. Monitoring for changes to the devices can alert the staff to take appropriate steps to contain a possible breach before it spreads.”

Will Retailers Wake Up?

Cran said the best thing retailers can do is set up a public channel to accept input from researchers and banking industry professionals.

“Also worth noting, as the frequency of these breaches is increasing, there may be a rush from the underground to collect non-EMV cards before all retailers mandate them. EMV (which stands for Europay, MasterCard and Visa) chips will help prevent actual card duplication, but they won't prevent online theft,” he said.

And brick and mortar retailers have to wake up to the risks inherent in their businesses, according to Crosby. “Perhaps a few more well publicized breaches will help retailers wake up. That said, I’m not hopeful,” Cran said. “That’s why chip-plus pin/sign and PCI standards are so important. We need to move the world forward.”

Image Credit: The Wendy's Company.

Tell Us What You Think
Comment:

Name:

TJ:
Posted: 2016-01-27 @ 4:12pm PT
Well, it's not called 'P.O.S.' for just the one reason.

Like Us on FacebookFollow Us on Twitter
MORE IN CUSTOMER DATA
CRM DAILY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.