Today, Wendy’s announced that malicious software affected POS devices in around 300 of the company’s 5,500 franchised stores, about 5% of all company restaurants. Tod Beardsley, Security Research Manager at Rapid7 has provided his comments on the breach below.
Tod Beardsley, Security Research Manager at Rapid7
“The Wendy’s breach illustrates a number of recurring themes that we see with point-of-sale (POS) system-based financial crime. The criminal activity was ongoing, lasting at least six months from detection to containment. The length of time the compromise went undetected, then unmitigated, is troubling news for any retailer that depends on a third party POS vendor for security. The fact that the breach affected only 5% of Wendy’s locations is certainly a contributing factor to its success; a small footprint is much more difficult to detect, since the patterns resulting from the fraud take longer to materialise.
It’s easy to say this was Wendy’s problem — and Wendy’s is certainly taking on some of the responsibility by working hard to investigate and mitigate the issue — but I’d expect that the attack was enabled by weak credentials instituted by the unnamed secondary POS vendor.
The hassle of having a card number compromised, and the resulting reporting and monitoring, is borne by individual card holders. So, while it won’t cost them very much money, it’s certainly costly in terms of time and stress. The costs associated with the fraud are absorbed by the card issuers, who increasingly offer zero liability agreements with debit card holders (assuming the loss is reported by the card holder).
This disconnect between incentives and risks due to the interconnected relationships between retailer, POS vendor, card holders, and card issuers makes this sort of crime very difficult to combat in a practical and consistent way, and inconsistencies in systems is where systemic crime lives and breathes.”
Most Commented Posts
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Experts Insight On US Pipeline Shut After Cyberattack
Most Active Commenters
Recent Comments
“Cybersecurity Awareness Month’s new evergreen theme "Secure Our World” is…
“Avoid storing data on personal devices: A crucial but often overlooked…
“I recommend a new nuance to passwords that isn’t often…
“In my role overseeing cloud environments and incident response, I'm…
“Cybersecurity Awareness Month serves as a reminder to confront the…