Tag Archives: Wendy’s

Security News Bites for the Week Ending February 22, 2019

Over 5 Billion Records Exposed in 2018

Risk Based Security is reporting that there were 6,515 publicly reported breaches in 2018 exposing over 5 billion records.  This is a couple hundred breaches less than 2017, but the final numbers are not in yet as breaches continue to be reported.

The number of days between discovery and disclosure is 49 days, well beyond what is required by GDPR. Source: Risk Based Security.


Industrial Refrigerators Can Be Defrosted Remotely – By Hackers

As we have been saying for a while, Industrial Internet of Things (IIoT) security is horrible.  Researchers are reporting that temperature controlled systems made by Resource Data Management use a default password which can be found on their web site.  If you can find the IP address, you can log in using any browser and wreak havoc on hospitals, restaurants and supermarkets.  The researchers found hundreds of these systems using the search engine Shodan.

The manufacturer’s defense is that they clearly tell people to change the default password.  Which of course, no one does.  Source: Tech Crunch.


Wendy’s Agrees to Pay $50 Million to Settle One More Breach Lawsuit

Wendy’s has agreed to settle a lawsuit with the financial institutions who lost millions as a result of the Point of Sale system breach at hundreds of Wendy’s franchises (interestingly, none of the stores breached were owned by Wendy’s).  Wendy’s will pay $27.5 million and their insurance company will pay the rest.  This is part of the process of putting the 2016 breach behind them.  Wendy’s is famous because their CFO once said on tape that they didn’t want to spend the money to upgrade their credit card terminals to chip based readers because it was cheaper to give away a few free hamburgers.  I wonder if he still feels that way.  Source: Bizjournals.


UK Tells Trump Huawei Cyber-Risk is Manageable

President Trump is working hard to get the rest of the world to support him in banning Huawei technology from the next generation of cellular networks due to the possibility of them being compromised by the Chinese government and putting back doors in their software to be able to hack our cell networks.

Apparently, the UK security chiefs disagree with our prez and said that the potential risk from Huawei is manageable.  This doesn’t mean that they think there is no risk and they do not make the final decisions, but given the relationship with our allies is complicated at best, the final result is unknown.

I suspect that will not make the President very happy.  Source: The Guardian.


Google to Fix Incognito Mode in Chrome That Leaks Info

Advertisers and web developers really don’t like it when browser makers stop them for doing whatever they want to do.

So they try to find ways around the stops.

In this case, advertisers figured out that even though they could not make cookies persist when the user was in incognito mode, they could figure out if the user was using incognito mode to stop being tracked.  If the user was doing that, some web sites would block them from using the web site.

Now, in Chrome 74, Google will create a virtual in memory file system that will behave just like the real file system so that web site developers won’t be able to detect the use of incognito mode.  At least not that way.  Now they will have to find another trick.  Source:  9to5Google.


Wendy’s Says Hackers Stole Credit Cards From More Than 1,000 Locations

In what has been a monument to how NOT to handle a data breach, Wendy’s has again revised the number of restaurants affected by hackers.  Wendy’s initially refused to release any information about how big the hack was, although bankers were saying that this was hitting them harder than the Home Depot breach did.

Then Wendy’s said that the breach affected fewer than 300 of their 5,700 stores  and they were all franchisees.  You can click on the search button on this blog and enter Wendy’s to find earlier posts.

Now, six months after they announced that some stores had been breached, they are saying that the number of stores affected is 1,025.  Whether that is a final number or not is unclear.  The data taken was only credit card information – account owner’s name, card number, expiration date and verification codes.   The breach apparently started in the fall of last year.  They have never said how many credit cards were stolen, but given the number of people that visit a Wendy’s in a given day, one has to assume the number is large.

Wendy’s has set up a web site where you can put in a country, state or province and city to find out which restaurants in your area were affected.  That web page can be found here.

So why has it taken six months just to find out which restaurants were affected?  It is not clear and it will likely be many more months if not years before that answer comes out due to likely lawsuits, but I will make some speculations.

For those people who have been following this, you may remember that Wendy’s current VP and Treasurer Gavin Waugh said a few years ago that it was too expensive to install chip card readers and that he would rather eat the fraud.

Well, he is going to have the opportunity to eat those words, along with the fraud.  Would you like fries with that fraud?

And, since Mastercard and Visa shifted the liability last November from them to merchants who had not installed chip systems, that fraud number could be very large.  As banks ask non-compliant stores to pay for the investigative and reissue costs, that could be hundreds of dollars per hacked credit card.

Here are my suspicions as to why it has taken 6 months just to find out how many stores were affected, even assuming this is the final number.

  • There are a large number (5,700) locations to evaluate
  • Many of the locations are not owned by Wendy’s, but rather by different francishees.
  • The allowed different stores to use different point of sale software and they have already said more than one time of malware was found.
  • They likely did not have great audit tools installed, nor a sophisticated log management process implemented.  Log data would need to be captured and kept for months.  In addition, if the hack was sophisticated, which it appears that it was, that log data would need to be sent off site immediately so that the hacker could not modify or delete the local log files.
  • Given Gavin Waugh’s comments above, my guess is that they did not have a strong information security program.
  • I speculate that they did not have a robust incident response plan in place and tested.

While I have NO inside information and these comments are pure speculation, I suspect I am pretty close.  For other businesses, these attacks can be learning opportunities at very little cost.

Wendy’s figured the cost of fraud would be giving away a few $1 hamburgers.  While they have not revealed how much they have spent so far or how many cards were affected,  it has to be a lot and will only grow.  Likely more lawsuits will be filed.  Home Depot and Target are still fighting lawsuits years after their breaches were revealed.

If Wendy’s had started planning the upgrade of their point of sale system in 2011 when Mastercard and Visa first announced the requirement for chip cards, they probably would not be in this boat today.

But, they figured, they would not be hit.  Apparently, they were wrong.

Whether you are a big company like Wendy’s or a small company with a single location, assuming that you will not be breached is probably not a good plan.  If you assume that you will be breached and do not wind up as a statistic, then you can be thankful.

After all, you don’t drive your car without insurance (hopefully) and you don’t skip getting homeowner’s insurance for your house thinking nothing is going to happen to me.  This is no different.

Prepare for the worst, hope for the best.

Information for this post came from ABC News.

Wendy’s, Cici’s, Twitter – The Attacks Keep Coming

In January 2015 Wendy’s disclosed, after many banks already announced, that it’s point of sale system was breached.  For months Wendy’s refused to provide any details, only saying that they were investigating things.

In May, when it released it’s first quarter earnings report, it said that fewer than 300 restaurants  were compromised and all of them were franchisees.  None of the compromised systems were at company owned stores.  The NCR Aloha POS system, installed at many locations and planned to be deployed at all locations soon, was not compromised, but 50 other stores were compromised with other forms of malware.

Some people are saying the size of the breach is limited, but banks are saying that the hackers are being very effective at using the compromised cards and the banks are having a hard time controlling their losses.

Wendy’s appears to be really struggling with this.

On June 9th, they admitted that the breach was worse than they admitted in May.  The new locations, for which they have not announced a number, had a variant of the original malware, which the original forensics firm did not detect.

What this may mean is that Wendy’s is still bleeding credit cards.  The banks certainly seem to think so.

Hopefully at some point, we will find out the real damage, but Wendy’s does not seem to be able to effectively get to the bottom of it.  In the mean time, class action lawsuits have been filed.

In the meantime, Cici’s Pizza appears to have been hacked.  A little over a million card numbers seem to be available on the dark web.  While Cici’s gave reporter Brian Krebs a total runaround, the POS vendor, Datapoint, said that this appears to be related to the TeamViewer hack that has been in the news lately and that multiple POS vendors are affected.  TeamViewer, a remote access tool, has been in the news lately as many people say that their systems, which have TeamViewer Installed, have been compromised.  TeamViewer insists that they have not been hacked, but so did Wendys for quite a while.

There have been a number of POS attacks which were completed by compromising the remote control software that was used by the third party to manage the POS systems in the stores.  Brian Krebs is reporting that the attack on Cici’s may have been assisted, at least in part, by people pretending to be technicians for the POS company and socially engineering store employees into giving them access.  If so, this is a classic attack method  – using store employees as their foil.

Both the Cici’s and TeamViewer attacks are relatively new, so we have not had any official news – other than the typical denial – from either company.

Interestingly, Brian Krebs said that when he went to the Datapoint web site, Google says Datapoint’s site was compromised and that it was once used by hackers to promote Viagra clones.  He has a screen shot of the Google alert on his web site.

Now on to Twitter.  This has not been a good week for Twitter. Over the week, the accounts of many celebrities including Mark Zuckerberg, Katy Perry and the NFL, among a number of others, were hacked.

Twitter says that some number of accounts have been compromised and their owners – as well as the hackers – have been locked out, on purpose.  Media sources say that number is 33 million.

Twitter says that their servers were not hacked.  Some sources are suggesting that the list of 33 million accounts may have been aggregated by combining data from other hackers – like the 100+ million records taken from LinkedIn, since people seem hell bent on reusing passwords.

One thing that everyone needs to seriously consider is to start using two factor authentication.  All major websites offer it and while it is a bit of a pain, it really is a requirement, not an option.  For users that have two factor authentication turned on, the real owner will get an alert on their phone and the hacker will have to figure out how to get that 6 or 8 digit number to log in.  That will effectively keep the attacker out, even though they have your password.

As businesses and users continue to insist on convenience over security, the hackers continue to win.  At some point, the cost of being hacked will outweigh the convenience of reusing passwords, using passwords like 123456 and other not-so-smart things.

However, I recommend that you not hold your breath waiting.

Information on the Wendy’s breach came from eWeek.

Information on the Cici’s breach came from Brian Krebs.

Information on the Twitter attack came from The Guardian.

Wendy’s Sued Over Data Breach

As could be expected, the Wendy’s data breach saga continues.  A proposed class action lawsuit was filed by a credit union in Pittsburgh representing all banks who were affected by the breach.

As reported by Brian Krebs in March, credit unions said that they saw a rise in fraudulent credit card use that was greater than what they saw after the Target or Home Depot breaches.  One credit union said the fraud was 5 to 10 times the loss than during the Target and Home Depot breaches.  That money has to be recovered somehow, either through higher bank fees, higher fee to merchants which are reflected in higher prices or lawsuits against the store that caused the expense.  As we saw in both the Home Depot and Target breaches, those lawsuits only recover a small portion of the costs.

Wendy’s has been pretty mum about the extent of this breach.  It is not clear why they have not disclosed the scope of the breach.  The lawsuit is providing a little bit of information.

The lawsuit claims that Wendy’s “refused to take steps to adequately protect its computer systems from intrusion”.  That is a pretty strong claim.

The lawsuit claims that the breach ran from Oct 22, 2015 to March 10, 2016, or about 5 months.

Wendy’s was notified by customers in January that they were seeing unusual activity on their credit cards after visiting Wendy’s locations.  In other words, Wendy’s didn’t figure out they were breached, customers did – which is why it is important to review your credit card and bank statements regularly.  An even better solution is to have your bank send you a text message every time your credit or debit card is used.  Most banks have this capability and it is free.  That way you will know instantly if your credit card is used fraudulently.

Wendy’s did not admit to the fraud until February 9th and then told customers not to worry – that the banks would reimburse them for any fraud.  While this is true, it wouldn’t seem to be the most responsible way of dealing with the situation.  Most businesses agree to being responsible if consumers lose money, even though they know that the banks will provide the first line of defense.

The lawsuit goes on to say that “Despite the growing threat of computer system intrusion, Wendy’s systematically failed to comply with industry standards and protect payment card and customer data”.  Readers of this blog may remember that I reported earlier that the Wendy’s CFO said that it was cheaper to pay the fraud than to upgrade their point of sale system to accept chip based cards.  It is not clear if he still feels that way.

As a result of the breach, the banks have been forced to cancel and reissue cards, change or close accounts, notify customers that they cards have been compromised , investigate fraud claims, refund charges, increase monitoring and take other steps, the lawsuit says.

What is different in this case from say Target, is that under new credit card rules effective October 1, 2015, businesses are now liable for all of these costs if the consumer presented a chip based card and the store did not have a chip based credit card reader.  As of the last report I saw, only about 50% of businesses have chip based credit card readers.  Wendy’s is not one of those stores.

The banks would likely want to make a showcase of Wendy’s to get the stores to increase store’s adoption of the chip based technology.  So while the Wendy’s CFO was likely thinking of the fraud costing him the $5 cost of a burger. under the new rules, it could cost him $100 or $200, per fraudulent transaction, for all of the expenses described above.  If there were only, say, a million fraudulent transactions, you can do the math.

The lawsuit goes on to say that Wendy’s, in a recent SEC filing, said that it was heavily dependent on it’s POS system and any breach could impair their ability to operate efficiently.  The report was filed in January;  whether they knew about the breach at that time is unclear.

The lawsuit also says that Wendy’s was not following 2007 FTC guidelines and similar state regulations designed to protect consumer data.  2007 was a long time ago, so it is going to be hard to defend themselves as to why they were not following those rules.

I suspect that Wendy’s will settle out of court given these claims.  The truth  would likely be way uglier than paying the banks.  What is unclear is how much the banks will be asking for.  In past large breaches, the banks settled in the $10 million to $30 million range.  Since the banks are claiming that this breach is costing them way more than the Target or Home Depot breaches did and considering the new credit card liability rules, it is not clear how much this will cost Wendy’s.

Wendy’s has also not said if they carried cyber liability insurance or if they did, how much coverage they had.  I will be amazed if it turns out that they did not have some coverage.

While the suit likely won’t be settled for years, we should see some more information in future Wendy’s SEC filings.

Information for this post came from Krebs On Security and the Courthouse News Service.

Some Credit Unions Getting Clobbered From Wendy’s Breach

While Wendy’s has been pretty quiet regarding the credit card breach that they appear to have suffered, others are not so quiet.

You may remember from my February 1st post (see here) that Wendy’s VP and treasurer Gavin Waugh said a couple of years ago that Wendy’s fraud rate was so low that paying the fraud liability is a whole lot cheaper than putting in [EMV] terminals.  I suspect that he now regret having made that statement publicly.

The problem with Waugh’s statement is that while he is correct that if people use a stolen credit card to buy a $1.99 burger, it is pretty cheap to reimburse the owner of the card, but that is not what he is dealing with today.

Assuming the story is correct, a breach of their point of sale system could expose tens of millions of cards.  If, say, there is zero fraud (not the case – see below) but the banks have to reissue 10 million cards, that is a $100+ million invoice.  Some of that is likely offset by insurance, but Wendy’s is not saying how much.  Since they are publicly traded, they will have to say something eventually.

The other problem that Waugh has to deal with is the “Shift in liability” that occurred in October 2015.  That shift means that Wendy’s is responsible for the full cost associated with each CHIP card that is breached.  Non chip card losses are still eaten by the banks.  Depending on the mix – still unknown – and the number, you can make up whatever math you want to.

However, what B. Dan Berger, CEO at the National Association of Federal Credit Unions, is saying is that credit unions saw a huge increase in debit card fraud in the few weeks before the breach became public.  Remember, a LOT of people visit Wendy’s in any given day, hence LOTS of credit card numbers.

One credit union CEO said:

“Please take this Wendy’s story very seriously. We have been getting killed lately with debit card fraud. We have already hit half of our normal yearly fraud so far this year, and it is not even the end of January yet. After reading this, we reviewed activity on some of our accounts which had fraud on them. The first six we checked had all been to Wendy’s in the last quarter of 2015.”
All I am suggesting is that we are experiencing much high[er] losses lately than we ever did after the Target or Home Depot problems. I think we may be end up with 5 to 10 times the loss on this breach, wherever it occurred. Accordingly, please put this story in the proper perspective.”

Assuming this turns out to be true, we could be talking maybe a hundred million cards and the bill for that could be large.

We should anticipate them saying something in their quarterly update in early April, but it likely will be vague.  How vague is unknown.

Information for this post came from KrebsOnSecurity.

Wendy’s Could Become Test Case – And Not In A Good Way

It appears that Wendy’s may be the most recent company to get their point of sale system hacked and have customer credit card data compromised.

At this point, Wendy’s has ONLY said that it is currently investigating reports of unusual activity involving payment cards used at some of its locations.

BUT, if it quacks like a credit card breach, it likely is a credit card breach.

What they probably don’t know yet is how big it is.

Now here is the test case.

Last November, the payment card industry had a liability shift.  For companies that have not installed chip capable point of sale systems and if customers have chip credit cards, the merchant is now liable for the cost of the breach.  That not only means the charges that have to be refunded to the customer, but also the cost of investigating it, the cost of reissuing the card and all other costs.  The banks designed this to be very painful to merchants who do not upgrade the point of sale systems.

A couple of years ago Wendy’s current VP and treasurer Gavin Waugh said that their fraud rate was so low that paying the fraud liability is a whole lot cheaper than putting in [EMV] terminals.

IF, and this is a big if, it turns out that the unusual activity is a breach and again IF the number of cards compromised is large and IF Wendy’s has not installed chip readers in their POS terminals and IF the customers had chip based cards — notice that is a lot of IFs — then Wendy’s may need to reconsider whether paying the fraud liability is cheaper than those new terminals.

Some totally made up, but actually somewhat conservative numbers.

If there was a breach and it affected 1 million cards (that would be 1/40th the size of the Target breach, so, in the grand scheme of things, maybe a conservative number) and if the cost per card, on average, of the losses to the credit card companies was $250 – some more, some less – then Wendy’s could be on the hook for $250 million.

Granted there are a lot of ifs here, but we will eventually find out more answers and if it was a big breach, the $250 million could be on the low end of the scale.  10 million cards @ $100 each is a billion dollars.

SO, we shall see if Wendy’s is a test case and if so, how big the breach is.   Gavin may need to reconsider that statement.

And, for other merchants that have not upgraded their terminals consider this.  If you have a breach and it only costs you a couple of million dollars, what is the impact on your business?