Veridian Credit Union recently filed a class action lawsuit against Wendy’s in response to a credit card breach that hit the fast food vendor’s point of sale (POS) systems starting in the fall of 2015, Law360 reports.
The class action, filed on behalf of all U.S. financial institutions whose customers were affected by the breach, claims that Wendy’s failed to prevent the breach by updating its POS systems.
“Despite the growing threat of computer system intrusion, Wendy’s systematically failed to comply with industry standards and protect payment card and customer data,” the complaint alleges.
Veridian claims that Wendy’s security systems were outdated, credit card information wasn’t deleted when it was supposed to be, antivirus software wasn’t regularly updated, firewalls weren’t maintained, and access to network and credit card data wasn’t monitored.
“It is well known that customer data is valuable and often targeted by hackers,” the complaint states. “Yet, despite the increasing occurrences of data breaches of systems of other restaurants and retailers, Wendy’s refused to take steps to adequately protect its computer systems from intrusion.”
Earlier this month, Wendy’s stated that the breach in question had affected many more locations than first thought when the breach was initially disclosed on May 11, 2016.
“Based on the preliminary findings of the previously-disclosed investigation, the company reported on May 11 that malware had been discovered on the point of sale (POS) system at fewer than 300 franchised North America Wendy’s restaurants,” the company announced. “An additional 50 franchise restaurants were also suspected of experiencing, or had been found to have, other cybersecurity issues. As a result of these issues, the company directed its investigator to continue to investigate.”
“In this continued investigation, the company has recently discovered a variant of the malware, similar in nature to the original, but different in its execution,” Wendy’s added. “The attackers used a remote access tool to target a POS system that, as of the May 11th announcement, the company believed had not been affected.”
As a result, Wendy’s says the number of franchise locations affected by the breach is expected to be “considerably higher” than first thought.
Wendy’s spokesman Bob Bertini told KrebsOnSecurity that it’s too early to pin down a specific number of stores affected, or to be sure that the breach is fully contained. “Wherever we are finding it we’ve taken action,” he said. “But we can’t rule out that there aren’t others.”
BalaBit product manager Peter Gyongyosi told eSecurity Planet by email that there are several key steps merchants should take to avoid being hit by these types of attacks. “The first step is to realize that POS terminals are extremely attractive targets for attackers, and treat them accordingly,” he said. “Ensure that the network connection is protected and firewalled from the rest of the infrastructure. Apply all firmware updates as soon as they become available.”
“And just as they would keep a close eye on any access to critical infrastructure, it’s important to monitor and analyze all administrative traffic that goes to these terminals,” Gyongyosi added. “There should be no updates that the merchant doesn’t know about, and any amounts of large or unusual traffic should raise an alarm.”
A recent eSecurity Planet article offered advice on securing sensitive data in a post-perimeter world.