It was recently that the Pennsylvania-based First Choice Federal Credit Union filed a class-action suit against fast food chain Wendy’s over a data breach, alleging that the data breach that happened at Wendy’s earlier this year will cost card issuers hundreds of millions of dollars. Though Wendy’s didn’t comment on the extent of losses that the point of sale security breach could have caused, they have now come up with the revelation that hundreds of restaurants run by the company were hacked in late 2015.
In Wendy’s company report for the first quarter of 2016, released on May 11, it’s stated, under the heading ‘Update on investigation into unusual credit card activity’- “… the Company engaged cyber security experts earlier this year to conduct a comprehensive investigation into unusual credit card activity at some Wendy’s restaurants….Based on the preliminary findings of the investigation and other information, the Company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015.” The report also says- “These findings also indicate that the Aloha point of sale system has not been impacted by this activity. The Aloha system is already installed at all Company-operated restaurants and in a majority of franchise-operated restaurants, with implementation throughout the North America system targeted by year-end 2016.”
Cyber security expert Brian Krebs had reported in his blog, as early as January this year about Credit Card Breach at Wendy’s. Krebs had said thus in his blog post, dated January 27, 2016, “Wendy’s, the nationwide chain of fast-food restaurants, says it is investigating claims of a possible credit card breach at some locations. The acknowledgment comes in response to questions from KrebsOnSecurity about banking industry sources who discovered a pattern of fraud on cards that were all recently used at various Wendy’s locations.”
Wendy’s, however, has made it clear that effective steps have been taken to combat the POS Malware attack; the Q1 earnings release says- “The Company has worked aggressively with its investigator to identify the source of the malware and quantify the extent of the malicious cyber-attacks, and has disabled and eradicated the malware in affected restaurants. The Company continues to work through a defined process with the payment card brands, its investigator, and federal law enforcement authorities to complete the investigation.”
Brian Krebs has, however, stated in a recent blog post that ” Sources at multiple financial institutions say their data indicates that some of the breached Wendy’s locations were still leaking customer card data as late as the end of March 2016 and into early April. “.
POS Malware of all kinds seems to have become a rage among cyber criminals these days. It’s mostly because businesses like Wendy’s- businesses in retail, healthcare, hotel and tourism etc have the high volume of financial transactions taking place and hence POS Security breaches and credit card breaches in such businesses could help hackers make big money.
Business organizations too are up in arms against the cyber criminals and POS Malware; they ensure better and more effective point of sale security these days, to make sure that their business transactions, as well as customers’ personal data, are all safe.