Wendy’s Says Hackers Stole Credit Cards From More Than 1,000 Locations

In what has been a monument to how NOT to handle a data breach, Wendy’s has again revised the number of restaurants affected by hackers.  Wendy’s initially refused to release any information about how big the hack was, although bankers were saying that this was hitting them harder than the Home Depot breach did.

Then Wendy’s said that the breach affected fewer than 300 of their 5,700 stores  and they were all franchisees.  You can click on the search button on this blog and enter Wendy’s to find earlier posts.

Now, six months after they announced that some stores had been breached, they are saying that the number of stores affected is 1,025.  Whether that is a final number or not is unclear.  The data taken was only credit card information – account owner’s name, card number, expiration date and verification codes.   The breach apparently started in the fall of last year.  They have never said how many credit cards were stolen, but given the number of people that visit a Wendy’s in a given day, one has to assume the number is large.

Wendy’s has set up a web site where you can put in a country, state or province and city to find out which restaurants in your area were affected.  That web page can be found here.

So why has it taken six months just to find out which restaurants were affected?  It is not clear and it will likely be many more months if not years before that answer comes out due to likely lawsuits, but I will make some speculations.

For those people who have been following this, you may remember that Wendy’s current VP and Treasurer Gavin Waugh said a few years ago that it was too expensive to install chip card readers and that he would rather eat the fraud.

Well, he is going to have the opportunity to eat those words, along with the fraud.  Would you like fries with that fraud?

And, since Mastercard and Visa shifted the liability last November from them to merchants who had not installed chip systems, that fraud number could be very large.  As banks ask non-compliant stores to pay for the investigative and reissue costs, that could be hundreds of dollars per hacked credit card.

Here are my suspicions as to why it has taken 6 months just to find out how many stores were affected, even assuming this is the final number.

• There are a large number (5,700) locations to evaluate
• Many of the locations are not owned by Wendy’s, but rather by different francishees.
• The allowed different stores to use different point of sale software and they have already said more than one time of malware was found.
• They likely did not have great audit tools installed, nor a sophisticated log management process implemented.  Log data would need to be captured and kept for months.  In addition, if the hack was sophisticated, which it appears that it was, that log data would need to be sent off site immediately so that the hacker could not modify or delete the local log files.
• Given Gavin Waugh’s comments above, my guess is that they did not have a strong information security program.
• I speculate that they did not have a robust incident response plan in place and tested.

While I have NO inside information and these comments are pure speculation, I suspect I am pretty close.  For other businesses, these attacks can be learning opportunities at very little cost.

Wendy’s figured the cost of fraud would be giving away a few $1 hamburgers.  While they have not revealed how much they have spent so far or how many cards were affected,  it has to be a lot and will only grow.  Likely more lawsuits will be filed.  Home Depot and Target are still fighting lawsuits years after their breaches were revealed.

If Wendy’s had started planning the upgrade of their point of sale system in 2011 when Mastercard and Visa first announced the requirement for chip cards, they probably would not be in this boat today.

But, they figured, they would not be hit.  Apparently, they were wrong.

Whether you are a big company like Wendy’s or a small company with a single location, assuming that you will not be breached is probably not a good plan.  If you assume that you will be breached and do not wind up as a statistic, then you can be thankful.

After all, you don’t drive your car without insurance (hopefully) and you don’t skip getting homeowner’s insurance for your house thinking nothing is going to happen to me.  This is no different.

Prepare for the worst, hope for the best.

Information for this post came from ABC News.

by