Wendy's recently announced that at least 1,025 of its franchise-owned fast food locations were affected by a credit card breach that the company had initially claimed only impacted 300 locations, KrebsOnSecurity reports.
The information that may have been exposed starting in late fall 2015 includes cardholder names, credit or debit card numbers, expiration dates, CVV codes and service codes. A list of potentially affected locations can be accessed here.
The company says it believes the attacks were enabled by the theft of third-party service providers' remote access credentials, enabling the attackers to access some franchisees' point-of-sale systems.
KrebsOnSecurity reports that hackers are increasingly using social engineering attacks to breach third-party providers with the aim of compromising point-of-sale devices -- and are having a significant amount of success with that tactic.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"We are committed to protecting our customers and keeping them informed," Wendy's president and CEO Todd Penegor said in a statement. "We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyber attacks involving some Wendy's restaurants."
"We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures," Penegor added.
All those affected are being offered one year of free access to fraud consultation and identity restoration services from Kroll.
RiskVision CEO Joe Fantuzzi told eSecurity Planet by email that the Wendy's breach should serve as a reminder of the importance of effectively assessing third-party risks and identifying suspicious activity coming from third parties. "Increasingly, attackers are going after vulnerable third parties to reach their targets because they’re the weak link from a security standpoint," he said.
"What’s more, most organizations don't have insight into the risk around their third party vendors and partners, and therefore don't have the ability to assess and remediate the threat or even take measures to prevent an attack," Fantuzzi added. "Consequently, the Wendy's breach indicates a trend of breaches involving third parties that will rapidly increase going forward."
"It's one thing to establish a tolerable level of business risk, as no solution or approach is 100 percent airtight," Fantuzzi said. "But if there's any good news here, it's likely that Wendy's is now more aware of its risk posture and is taking steps to correlate security and business risk data in real time to ensure any critical incidents are quickly identified and remediated."
STEALTHbits director of product management Brad Bussie said by email that it would be a good idea for Wendy's to deploy new servers to all locations. "The reputation of Wendy's is at stake, and the quickest and most controlled way to eradicate the hack is to decommission the current stores' infrastructure," he said.
"This approach will need precise orchestration as none of the existing systems can be allowed to talk to the newly deployed systems," Bussie added. "Laser focus is required to make sure the new servers are deployed with the latest protection, including blocking Internet browsing, disallowing the use of removable devices, and tightly controlling store administrative access."
"When the breadth and depth of the infestation is unknown, it makes the most sense to burn your fields and start over with fresh earth," Bussie said.
A recent eSecurity Planet article examined 5 best practices for reducing third-party security risks.