Numerous consumers who used credit cards at Midwest and Northeast locations of The Wendy's Co. in the latter part of 2015 were notified by their card issuing banks of a potential data security breach. Wendy's, a publicly traded company established in 1969 and headquartered in Dublin, Ohio, is the world's third largest fast food enterprise, with 6,500 corporate and franchise locations in 30 countries.
Company spokesman Bob Bertini advised news media that fraudulent charges began to appear elsewhere after the cards were legitimately used at some Wendy's restaurants. "Until this investigation is completed, it is difficult to determine with certainty the nature or scope of any potential incident," he said. "We have hired a cybersecurity firm to assist, but are not disclosing the name at this point."
Payments and security analysts credit bank fraud departments that monitor suspicious activities and security researchers who monitor black market trends for detecting the fraudulent transactions. Convergence of these two lines of effort proved a formidable force, parsing records from aggregated data to find the common denominator, which in this case clearly showed that all of the compromised payment cards had been used at select Wendy's locations.
"Ideally, we'd like to see merchant organizations detecting incidents proactively," said Jim Wherry, Information Security Analyst at Redhawk Network Security LLC. "In this case, though, from what we know, the issue was brought to light through the combined work of various fraud detection groups."
Wherry, a Certified Information Security Systems Professional and Payment Card Industry Qualified Security Assessor, noted that while fraud detection groups did their jobs, Redhawk advocates strongly for the empowerment of individual merchants. "They need to develop capabilities to detect intrusions before they become breaches down the line," he said.
Vann Abernethy, Senior Technical Expert at network security provider NSFOCUS IB, said, "This incident is another that should serve as a wake-up call for companies, the payment card industry and consumers alike. Many banks have been rolling out new chip-based cards (EMV) recently. This is a good step in the right direction for preventing card information theft and duplication, and adding an additional authentication factor would be even better." Abernethy cautioned consumers who visited Wendy's in affected areas to monitor credit card activity daily for suspicious activities.
Abernethy emphasized the need for merchants to implement end-to-end encryption and tokenization at the POS. He urged retailers to have a plan in place and not to wait to take action until a data breach occurs. "No plan can cover everything, but having a plan and executing on it goes a long way," he stated. Abernethy further noted that Europay, MasterCard and Visa (EMV) technology employs a one-time unique authentication factor designed to prevent payment card duplication. Having a secondary factor such as a personal identification number can add a secondary layer of protection. He advised retailers to protect cardholder data from the moment a card is read at the POS and throughout its journey to the card issuer for verification. End-to-end (E2E) encryption that begins at the card reader would go a long way to protecting systemic vulnerabilities, he added. "Retailers should also remember that just because the primary payment transaction points are as secure as they can make them does not mean the data is not seeping out through another route, especially if there is no E2E encryption," Abernethy said. "Constant vigilance is needed to look for rogue executables, odd open ports and more." Redhawk's Wherry added, "Much can be said about chip-and-signature technology and potential weak points, but the real takeaway from the Wendy's data breach is how it appears to have been detected."
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next