Expert Comments on Wendy’s Breach

Today, Wendy’s announced that malicious software affected POS devices in around 300 of the company’s 5,500 franchised stores, about 5% of all company restaurants. Tod Beardsley, Security Research Manager at Rapid7 has provided his comments on the breach below.

Tod Beardsley, Security Research Manager at Rapid7

“The Wendy’s breach illustrates a number of recurring themes that we see with point-of-sale (POS) system-based financial crime. The criminal activity was ongoing, lasting at least six months from detection to containment. The length of time the compromise went undetected, then unmitigated, is troubling news for any retailer that depends on a third party POS vendor for security. The fact that the breach affected only 5% of Wendy’s locations is certainly a contributing factor to its success; a small footprint is much more difficult to detect, since the patterns resulting from the fraud take longer to materialise.

It’s easy to say this was Wendy’s problem — and Wendy’s is certainly taking on some of the responsibility by working hard to investigate and mitigate the issue — but I’d expect that the attack was enabled by weak credentials instituted by the unnamed secondary POS vendor.

The hassle of having a card number compromised, and the resulting reporting and monitoring, is borne by individual card holders. So, while it won’t cost them very much money, it’s certainly costly in terms of time and stress. The costs associated with the fraud are absorbed by the card issuers, who increasingly offer zero liability agreements with debit card holders (assuming the loss is reported by the card holder).

This disconnect between incentives and risks due to the interconnected relationships between retailer, POS vendor, card holders, and card issuers makes this sort of crime very difficult to combat in a practical and consistent way, and inconsistencies in systems is where systemic crime lives and breathes.”