July 8, 2016

At least 1,025 Wendy’s locations were hit by a malware-driven credit card breach that began in the fall of 2015, the nationwide fast-food chain said Thursday. The announcement marks a significant expansion in a data breach that is costing banks and credit unions plenty: Previously, Wendy’s had said the breach impacted fewer than 300 locations.

An ad for Wendy's (in Russian).

An ad for Wendy’s (in Russian).

On January 27, 2016, this publication was the first to report that Wendy’s was investigating a card breach. In mid-May, the company announced in its first quarter financial statement that the fraud impacted just five percent of stores. But in a statement last month, Wendy’s warned that its estimates about the size and scope of the breach were about to get much meatier.

Wendy’s has published a page that breaks down the breached restaurant locations by state.

Wendy’s is placing blame for the breach on an unnamed third-party that serves franchised Wendy’s locations, saying that a “service provider” that had remote access to the compromised cash registers got hacked.

For better or worse, countless restaurant franchises outsource the management and upkeep of their point-of-sale systems to third party providers, most of whom use remote administration tools to access and manage the systems remotely over the Internet.

Unsurprisingly, the attackers have focused on hacking the third-party providers and have had much success with this tactic. Very often, the hackers just guess at the usernames and passwords needed to remotely access point-of-sale devices. But as more POS vendors start to tighten up on that front, the criminals are shifting their focus to social engineering attacks — that is, manipulating employees at the targeted organization into opening the backdoor for the attackers.

As detailed in Slicing Into a Point-of-Sale Botnet, hackers responsible for stealing millions of customer credit card numbers from pizza chain Cici’s Pizza used social engineering attacks to trick employees at third party point-of-sale providers into installing malicious software.

Perhaps predictably, Wendy’s has been hit with at least one class action lawsuit over the breach. First Choice Federal Credit Union reportedly alleged that the data breach could have been prevented or at least lessened had the company acted faster. That’s difficult to argue against: The company first learned about the breach in January 2016, and stores were still being milked of customer card data six months later.

More lawsuits are likely to come. As noted in Credit Unions Feeling Pinch in Wendy’s Breach, the CEO of the National Association of Federal Credit Unions believes the losses their members have suffered from cards compromised at Wendy’s locations so far eclipse those that came in the wake of the huge card breaches at Target and Home Depot.

People who are in the habit of regularly eating at or patronizing a company that is in the midst of responding to a data breach pose a frustrating challenge for smaller banks and credit unions that fight card fraud mainly by issuing customers a new card. Not long after a new card is shipped, these customers turn around and unwittingly re-compromise their cards, prompting institutions to weigh the costs of continuously re-issuing versus the chances that the cards will be sold in the underground and used for fraud.

A number of readers have written in this past week apparently concerned about my whereabouts and well-being. It’s nice to be missed; I took a few days off for a much-needed staycation and to visit with friends and family. I’m writing this post because some stories you just have to see through to the bitter end. But fear not: KrebsOnSecurity will be back in full swing next week!

51 thoughts on “1,025 Wendy’s Locations Hit in Card Breach

  1. NotMe

    Too funny, just hit your site to see if you were on vacation.
    I received a letter for a client asking to complete a PCI self assessment. They have one terminal that is chip ready. When you go to the site to complete the assessment it makes you turn on flash and java script! Oh the irony. I’m not impressed with “PCI Rapid Comply Trustwave Enabled Solutions”. But perhaps it will keep this merchant off the list compromised terminals? At least they are going through the motions and trying to get the small merchants to comply.

  2. Chip

    I do have hope that as the US mandates the use of the embedded chip technology that it will help protect the consumers, at least for a while. However, I fear that its already too late. This is why I don’t use my debit card for online or POS purchases, as my credit card isn’t directly linked to my checking account and at least provides a buffer to my on-hand cash.

  3. 1000songs

    The embedded chip technology (EMV) will not stop the bleeding. Unless and until acquirers eliminate the provisions that mandate a “fallback” to magstripe when the chip is damaged or there is no chip (ie. until recently, every US issued card for the last 20 years), the bad guys can read the magstripe and use them where EMV is not mandated.

    Moreover, EMV does not help with online fraud. There is no way to read an EMV chip online. Without two-factor authentication (or better authentication), and as long as your cards still have a magstripe in addition to a chip, the game will continue.

    1. timeless

      PayPal [1] was a solution to this problem.

      The other approach is a Controlled payment number. Discover and AmEx both used to offer them, a number of other banks have at various times. Unfortunately, many have discontinued the service partially due to lack of use.

      In theory, Square’s EMV [2] solution could be used with Controlled payment numbers.

      [1] https://www.paypal.com
      [2] https://squareup.com/emv

      1. 1000songs

        Wasn’t the controlled payment number just a very early attempt at tokenization? Really no different than issuing a new card every few months.

        1. timeless

          I suppose you could call it tokenization, but the thing is that you can’t use normal tokenization for online purchases…

          And the “secure pay” nonsense from Visa/MasterCard are an absolute joke…

    2. treFunny

      I got a new card in April and it still did not have the chip… when i asked why in the world they would ship a new card without a chip they replied with this:

      You card expired right before the deadline (?) and a new “chipped” card will be sent out around Dec 2016.

      So yeah the banks don’t care either. To be fair this is a small town bank with only 4 locations.

      1. timeless

        That happened to me w/ a Discover Card. I called Discover and asked about getting a chip card and they sent me one.

        One thing about cards with Chips: Their magstripes can be cloned and used at Gas pumps until October 2017 w/o issue.

        Plus, the cards w/ Chips cost much more to produce (over a dollar vs pennies).

  4. sarah

    Our son has used his card at one of the Wendy’s listed in the affected restaurants, and has had his card replaced twice within 3 months. I assumed the first replacement had to be because of Wendy’s, due to the coincidence. I was puzzled by the second replacement, but checking the affected store list last night found one of the compromised stores also listed in his recent purchases, in his card account online. And his purchase was mid-May, and I believe the list STILL indicated affected dates as of the end of last month, June.

    Wendy’s seems to be allowing this breach to remain active. Why haven’t they brought their involvement to a halt? Seems like the risks far outweigh the costs of continuing business while still fully compromised.

    Oh, and giving all affected card holders 1 year of ID theft monitoring is a token response and serves little except to notify you AFTER the fact that your data is sold and widespread.

  5. BGCF

    Perhaps it’s time some investigative reporting dug into the third-party POS companies.

    1. anon

      I used to work for a company that provided POS systems for a great many Wendy’s franchise stores.

      I can’t say for sure they are the ones that cause the breach, but it wouldn’t surprise me.

      List of stores Wendy’s published seems to match my decade old memories of which stores I supported at the time (at least in my area) and the local ones I know we didn’t support aren’t on the list.

  6. Dan

    1000songs is by and large correct, just not complete. Until the magstripe is gone card fraud known as “card not present” will continue to be a problem. But that’s not the only problem. And they ALL come from Visa/MasterCard. All. Here they are:

    1) Both cards require signature or PIN be used, and allow the merchant to decide what it defaults to. Great if the merchant is responsible for loss, but he isn’t. So he takes the one that is cheapest or fastest. Usually signature. But notice that PIN would be far more secure, right? And can be changed at will. And fraud detection can detect attempts to “guess” a PIN, so that’s pretty good.. But did you know PIN is less profitable in many cases?

    2) Visa has now backed down from the EMV claim of making vendors be responsible for losses. Banks are again now holding the bag, and once again the primary choke point for card present fraud is (the vendor) has no reason to be diligent. Before you say “so what”, until you force the vendor to slow down and be responsible you will not affect change. And the banks are going to replace that loss with reduced interest, so at net the consumer looses, the vendor has no incentive, and the criminal continues to gain.

    We could cure this easily. Here’s how:

    A) Force vendors to become responsible for the fraudulent card present transactions they accept.

    B: Allow card issuers to deploy PIN only cards when it fits their business/risk model.

    C: Allow card issuers to create a card type that is EMV only. Sure there are times it can’t be used, but that will decrease as time passes.

    D: Allow issuers to require an SMS text message be sent to a customer whenever a card not present transaction was made.

    If I had an EMV only card as my primary and an magstripe backup that as PIN only I’d be pretty darn safe. Add the text message on card not present and cyber crime would slow dramatically.

    But Visa/MC aren’t going to hurt their business model and act responsibly, for as long as it’s not costing THEM money why change?

    1. Joe

      Amex has an option to send email when a card not present purchase is made.
      They also can send email when big purchases are made. I got that recently when there was a big charge at some fragrance shop in Florida, with me being in CA. I immediately had the card canceled and got a new card.

      1. othermike27

        You can direct AMEX to send you a text message and/or email when a card-not-present transaction is made, and when a purchase of $X or more occurs, where you can select X as any amount of $10 or more. Chase is better still: they send alerts on CNP, gas station charge and purchase greater than $X, for X of $1 or more. Both Chase and AMEX send alerts when the transaction occurs, whereas some financial institutions (looking at you, USAA!) don’t send an alert until the transaction posts, which may be 2-3 days after the miscreant has started using your account.

    2. Peter

      “Card not present” and hacked terminals have little in common, as the full maggstrip data is still not enough to make online purchages.

      Hacked terminals are formost and pretty much only an issue because for a long time many systems in the US will continue to accept non-chip transactions.

      But that isn’t a flaw in EMV, but a flaw (and even that term is debatable) in the rollout program.

    3. CJ

      I would never use a PIN for a purchase. A PIN is much too easy to steal and opens the door way too wide.

  7. Yes

    Wendy’s says some restaurants were exposed until June 8th, just checking one state.

  8. Joebob2000

    Thanks for the update Brian! Now on to the important question, if Wendys is off the table do I turn to Burger King, or Arbys?

    1. timeless

      While I don’t have statistics to back this up, I’d assume that on average a vendor who has been recently hit by a compromise is less likely to be hit soon than a vendor who has yet to report a compromise. — But you want to wait a bit to ensure that the vendor has actually cleaned up and established (probably for the first time…) security procedures…

    2. Sasparilla

      I wouldn’t think either of those chains would actually be any better at protecting your credit card numbers than Wendy’s. McDonald’s might be better (as a company), might.

      Maybe just carry cash for lunch and go where you want. JMHO…

    3. pinch-hitter

      You can shop with 100% safety at Wendy’s, Burger King, or McDonald’s, just use cash.

  9. Chris

    When the banks call and tell us our card has been compromised they do not share the name of the business that caused it. Likewise, card skimmers at gas stations have been mentioned on the news but they fail to call out the name of the station where it is happening. For the issue of the average consumer re-compromising themselves, this is the reason. And it is irritating. YES.. these business will lose money if we are told where our information is being stolen from. YES.. they deserve it. Please tell us where it is happening so we don’t have to research on Krebs 6 months later. SMH

    1. mattk

      Chris, there are a few reasons the banks don’t notify you.

      1. the breach might not have been identified yet.
      2. liability reasons-if the bank falsely states a merchant is responsible it can cause some legal problems
      3. the card companies don’t usually tell the banks which merchants were breached. banks can try to figure it out, but there is so much overlap with all the breaches it can be tough.

      1. Mahhn

        It is also against some stupid federal rule/law to say where the breach was even when it’s know by the card issuer, unless the breached company publicly discloses it, (from what I recall in the meeting).
        Which is bogus, because people think it was the financial institution and loose trust with the one place looking out for them.

      2. Enthusiast

        Mattk – regarding point #3, aren’t the banks in a better position to know which merchants were breached than the card networks? I’d expect the banks to tell the card networks… I mean, the issuers are the ones who get first notice from customers saying “hey – that wasn’t me”. They get enough of those, and then they do their “common point of purchase” analysis. After they realize that fraud has spiked, and a lot of the people who experienced said fraud all dined at Wendy’s…boom, they point the finger at Wendy’s.

        1. mattk

          Not necessarily. The criminals will combine cards from different breaches when they sell them, making it harder to trace 1 cpp. Many of these breaches overlap with timeframes which makes it harder to determine one merchant. Also big merchants show up as false positives on these CPP analysis fairly frequently. If I pulled the history on 10 recently compromised cards I guarantee you at least 7 of them will have a transaction at a big chain like Walmart or a Dunkin Donuts (or even Wendy’s). This leads to my second point above, liability and legal reasons. If you falsely accuse a merchant its not going to be pleasant for the bank.

          1. Spanky

            Yeah, it’s one thing to look at a bunch of fraud cards and decide Wendy’s has a problem, but being able to tell whether a specific card was compromised at Wendy’s vs skimmed at a gas station or just copied by a waiter can be impossible.

      3. Peter

        #4 Naming the merchant may provide an incentive to silently fix it and hope nobody can prove it back to them. You want merchants to be able to speak in confidence with upstream.
        #5 Merchant may not be at fault. E.g. if the payment vendor is compromissed, naming the merchant may also not be fair/productive.

  10. rayy

    For small transactions (<$20), just use cash–it's quicker and can't be hacked.

  11. Edward W.

    I’ve gotten to the point that rarely use my credit card any longer – cash for nearly everything. Yet I still had a fraudulent charge a couple of months ago – Wilson Leather on line store. I’ve never even been on their website. Everyone I know has had a credit card or two compromised over the last few years. The system is seriously broken.

  12. Aztech

    This is why I pay with a Discover Card that I leave in a frozen account state. A couple quick scans of my fingerprint on an iphone unlocks the card for the 2 minutes needed to pay at a restaurant or gas pump, then I freeze the account again. All credit cards should offer the ability to turn your account on and off, so that it cannot be used for charges unless you say so. My credit card number may get stolen, but unless someone uses it during the same 2 minutes I unfreeze my account to pay for my gas or restaurant bill, the card number will be no good to the crooks. I’ve been doing it for so long now it feels like a natural way to use a credit card.

    1. JCitizen

      That sounds like a good scheme – a lot simpler than the merchant specific account numbers they used to use.

    2. Robert.Walter

      You’re doing it wrong. Since you have an iPhone, do this:

      Put your card into Apple Pay. Get a device unique charge number that only works with the Apple Pay auto-generated single-use PIN code.

      Hold phone to POS terminal, when phone automatically lights up, caress the TouchID sensor and bask in convenience with security!

      1. Robert.Walter

        I should clarify that the set up is a one time activity that links your iPhone to your account. If your physical card gets comprimised, Discover will update all your card data in your phone automatically (even before you receive or activate the replacement card.). Same story on Apple Watch.

  13. JCitizen

    Glad you got some rest Brian!

    I’m also glad I don’t do business with Wendy’s – I quit going there because of their smart-aleck workers.

  14. Just Wondering

    Once the breach is discovered and it’s pinned down as to who is responsible, Wendy’s in this case… Why isn’t Wendy’s on the hook, franchise or not, for the costs involved? After a few companies paid through the nose and out the rear or even went bankrupt, that would be cause for other companies to take a very serious look at securing their POS POS’s! (pun intended)

  15. Spanky

    Omni Hotels also with a breach – POS systems for restaurants, gift shops etc, not the lodging/reservation end of things.

  16. Mike McMullen

    Seeking your thoughts on security ramification of the concept presented by HMG Research Beyond Devices: Invisible Hardware.

  17. Ken

    So one thing that is annoying is that Wendy’s is not making the list easy to search/scan. Grouping by state is reasonable, but city as well?! This is a royal pain to have to click through so many different drop downs to get a comprehensive list to cross reference against transaction data for a fraud investigator at a small bank. Even if they got rid of the dropdown for the city it would make it so much easier.
    What happened to just posting a pdf with all locations and dates?

    1. IA Eng

      Your’re kidding right? How many cities and locations are around your area of responsibility? if the banks would have pushed for EMV or other encryption years ago, this breach and probably many others potentially may have never happened.

      Now that people are forced to do their jobs since the pinch is felt on this breach is priceless.

      It also shows that the bank people have little communication skills outside the walls.

      Why don’t you just ask for a complete list of the entire state(s). A little bit of initiative goes a long way. It’s a verb, occasionally using in words like ingenuity, creativity, work…… you know action verbs.

      Things are not always served on your silver platter.

      1. SeymourB

        A few clicks plus copy & paste and anyone can build a list of the entire state. It beats some of the more annoying websites I’ve seen.

        Some people expect everything to be handed to them in XLS format.

  18. PC Cobbler

    “a ‘service provider’ that had remote access to the compromised cash registers got hacked”

    Remote access as a concept needs to have a stake driven into its heart. That’s why the service provider was able to bid low. Heck, maybe its employees are in India. Signature Systems of Pennsylvania, meet Fazio Mechanical Services. If I ran one of the banks or credit unions which suffered, I’d make it a point in my lawsuit.

  19. Ron G

    “…third party providers, most of whom use remote administration tools to access and manage the systems remotely over the Internet.”

    Oh. Swell.

    The Internet of EveryThing Hackable.

    So lame. Really. “Let’s save money by exposing everything to former Soviet States, where everything is crooked, there are no real jobs, and kids learn to program and play chess at age five.
    What could possibly go wrong?”

  20. roflem

    Master and Visa dont seem to care. I have seen card numbers which were blocked by their owners functioning half a year later. You card holders pay the price! Start using cash as much as possible.

  21. kit

    Why aren’t we entitled to know who was breached, threatening OUR credit! If I choose not to use Wendy’s, that’s MY right! Maybe they’ll be a little more careful with OUR information.

    Jr bacon cheeseburgers are NOT worth this!

Comments are closed.