Advanced Malware Chomps Wendy’s at Point-of-Sale

advanced malware

Since January, security researchers and credit unions have seen signs pointing to a massive point-of-sale (POS) breach at Wendy’s. The fast food chain took an abysmally long time to acknowledge that it was hacked, and now looks to pay the price of its recalcitrance—to the tune of a class action lawsuit.

Although Wendy’s hasn’t disclosed the kind of malware that was used, or the attack paths that were taken, it did share preliminary findings of its investigation in its fiscal 2016 first-quarter financial report. According to Wendy’s, the breach dates back to the fall of 2015 with the installation of advanced malware by compromised third-party vendor credentials. It affected one particular POS system used by some franchisees, not the one used by the majority of its 5,500 stores.

In the report, the company says it has “disabled and eradicated the malware in affected restaurants” and “continues to work through a defined process with the payment card brands, its investigator and federal law enforcement authorities to complete the investigation.” During the course of the investigation, the company also uncovered unrelated security issues at 50 stores.

Why Did Wendy’s Sit on the Disclosure?

On the one hand, POS malware can go incognito for quite some time, especially if the hack is on a smaller scale, as was the case with Wendy’s. Cyber criminals targeted just 5% of Wendy’s stores, and fraud patterns are more difficult to detect with a small footprint. The criminals flew under the radar at Wendy’s for least six months from detection to containment—but security researchers and credit unions both  knew about the Wendy’s breach long before any public admission. Now, a legal complaint alleges that Wendy’s could have done more to stop the attack.

The case against Wendy’s is spearheaded by a Florida man who alleges $577 in fraudulent charges were made on his credit card after he used it at his local restaurant. The suit asserts that Wendy’s hasn’t kept up with industry standards to keep consumers’ information safe, failing to comply with an October 2015 deadline that required retailers to switch from card swiping to the chip scanners.

Other Retailers Are Also Tempting Targets For Advanced Malware

Wendy’s is just a recent example of how attractive POS malware is to bad actors. Countless other retailers— PF Chang’s, Target, Neiman Marcus, etc.—have been targeted because there’s a huge payoff without huge risk. Savvy hackers can mask fraudulent purchases to mirror those of their targets’ typical buying patterns. For example, extra charges at favorite restaurants or stores may go unnoticed without regular, careful monitoring of credit and debit cards. The longer a delay in informing customers, the greater the risk of numerous fraudulent charges.

Advanced malware is readily available in the cyber underground and POS terminals are everywhere. Any device that accepts payment information, in companies large or small, is a potential target. Hackers can get their hands on thousands of credit and debit cards without showing their faces on security cameras. And the market for captured data is hot; hackers can monetize this data more easily than, for example, lists of usernames and passwords.

The only way companies can stay ahead of cyber crooks is to modernize their security with next-generation endpoint protection. This means extending continuous lightweight monitoring on every terminal that your organization possesses. Don’t get compromised—learn more about this and other malware with SentinelOne’s Four Minute Guide to Enterprise Security Threats.