Posts Tagged: National Association of Federal Credit Unions

Jul 16

1,025 Wendy’s Locations Hit in Card Breach

At least 1,025 Wendy’s locations were hit by a malware-driven credit card breach that began in the fall of 2015, the nationwide fast-food chain said Thursday. The announcement marks a significant expansion in a data breach that is costing banks and credit unions plenty: Previously, Wendy’s had said the breach impacted fewer than 300 locations.

An ad for Wendy's (in Russian).

An ad for Wendy’s (in Russian).

On January 27, 2016, this publication was the first to report that Wendy’s was investigating a card breach. In mid-May, the company announced in its first quarter financial statement that the fraud impacted just five percent of stores. But in a statement last month, Wendy’s warned that its estimates about the size and scope of the breach were about to get much meatier.

Wendy’s has published a page that breaks down the breached restaurant locations by state.

Wendy’s is placing blame for the breach on an unnamed third-party that serves franchised Wendy’s locations, saying that a “service provider” that had remote access to the compromised cash registers got hacked.

For better or worse, countless restaurant franchises outsource the management and upkeep of their point-of-sale systems to third party providers, most of whom use remote administration tools to access and manage the systems remotely over the Internet.

Unsurprisingly, the attackers have focused on hacking the third-party providers and have had much success with this tactic. Very often, the hackers just guess at the usernames and passwords needed to remotely access point-of-sale devices. But as more POS vendors start to tighten up on that front, the criminals are shifting their focus to social engineering attacks — that is, manipulating employees at the targeted organization into opening the backdoor for the attackers.

As detailed in Slicing Into a Point-of-Sale Botnet, hackers responsible for stealing millions of customer credit card numbers from pizza chain Cici’s Pizza used social engineering attacks to trick employees at third party point-of-sale providers into installing malicious software. Continue reading →

Jun 16

There’s the Beef: Wendy’s Breach Numbers About to Get Much Meatier

When news broke last month that the credit card breach at fast food chain Wendy’s impacted fewer than 300 out of the company’s 5,800 locations, the response from many readers was, “Where’s the Breach?” Today, Wendy’s said the number of stores impacted by the breach is “significantly higher” and that the intrusion may not yet be contained.

wendyskyOn January 27, 2016, this publication was the first to report that Wendy’s was investigating a card breach. In mid-May, the company announced in its first quarter financial statement that the fraud impacted just five percent of stores.

But since that announcement last month, a number of sources in the fraud and banking community have complained to this author that there was no way the Wendy’s breach only affected five percent of stores — given the volume of fraud that the banks have traced back to Wendy’s customers.

What’s more, some of those same sources said they were certain the breach was still ongoing well after Wendy’s made the five percent claim in May. In my March 02 piece Credit Unions Feeling Pinch in Wendy’s Breach, I quoted B. Dan Berger, CEO of the National Association of Federal Credit Unions, saying the he’d heard from three credit union CEOs who said the fraud they’ve experienced so far from the Wendy’s breach has eclipsed what they were hit with in the wake of the Home Depot and Target breaches.

Today, Wendy’s acknowledged in a statement that the breach is now expected to be “considerably higher than the 300 restaurants already implicated.” Company spokesman Bob Bertini declined to be more specific about the number of stores involved, citing an ongoing investigation. Bertini also declined to say whether the company is confident that the breach has been contained.

“Wherever we are finding it we’ve taken action,” he said. “But we can’t rule out that there aren’t others.”

Bertini said part of the problem was that the breach happened in two waves. He said the outside forensics investigators that were assigned to the case by the credit card associations initially found 300 locations that had malware on the point-of-sale devices, but that the company’s own investigators later discovered a different strain of the malware at some locations. Bertini declined to provide additional details about either of the malware strains found in the intrusions.

“In recent days, our investigator has identified this additional strain or mutation of the original malware,” he said. “It just so happens that this new strain targets a different point of sale system than the original one, and we just within the last few days discovered this.” Continue reading →

Mar 16

Credit Unions Feeling Pinch in Wendy’s Breach

A number of credit unions say they have experienced an unusually high level of debit card fraud from the breach at nationwide fast food chain Wendy’s, and that the losses so far eclipse those that came in the wake of huge card breaches at Target and Home Depot.

wendyskyAs first noted on this blog in January, Wendy’s is investigating a pattern of unusual card activity at some stores. In a preliminary 2015 annual report, Wendy’s confirmed that malware designed to steal card data was found on some systems. The company says it doesn’t yet know the extent of the breach or how many customers may have been impacted.

According to B. Dan Berger, CEO at the National Association of Federal Credit Unions, many credit unions saw a huge increase in debit card fraud in the few weeks before the Wendy’s breach became public. He said much of that fraud activity was later tied to customers who’d patronized Wendy’s locations less than a month prior.

“This is what we’ve heard from three different credit union CEOs in Ohio now: It’s more concentrated and the amounts hitting compromised debit accounts is much higher that what they were hit with after Home Depot or Target,” Berger said. “It seems to have been been [the work of] a sophisticated group, in terms of the timing and the accounts they targeted. They were targeting and draining debit accounts with lots of money in them.”

Berger shared an email sent by one credit union CEO who asked not to be named in this story:

“Please take this Wendy’s story very seriously. We have been getting killed lately with debit card fraud. We have already hit half of our normal yearly fraud so far this year, and it is not even the end of January yet. After reading this, we reviewed activity on some of our accounts which had fraud on them. The first six we checked had all been to Wendy’s in the last quarter of 2015.”

All I am suggesting is that we are experiencing much high[er] losses lately than we ever did after the Target or Home Depot problems. I think we may be end up with 5 to 10 times the loss on this breach, wherever it occurred. Accordingly, please put this story in the proper perspective.”

Wendy’s declined to comment for this story.

Even if thieves don’t know the PIN assigned to a given debit card, very often banks and credit unions will let customers call in and change their PIN using automated systems that ask the caller to verify the cardholder’s identity by keying in static identifiers, like Social Security numbers, dates of birth and the card’s expiration date.

Thieves can abuse these automated systems to reset the PIN on the victim’s debit card, and then use a counterfeit copy of the card to withdraw cash from the account at ATMs. As I reported in September 2014, this is exactly what happened in the wake of the Home Depot breach. Continue reading →