Wendy’s reveals source behind breach — and it was a familiar one

The Wendy's Co. is offering an update on a cyberattack it first reported in February 2016, and it contains some decidedly unsurprising details.



Wendy’s believes the breach resulted from third-party service providers' remote access credentials being compromised. This allowed access, and the ability to deploy malware, to some franchisees' point-of-sale systems. To date, Wendy’s said there has been no indication that any Company-operated restaurants were impacted.



Working with third-party forensic experts, federal law enforcement and payment card industry contacts as part of its ongoing investigation, the retailer has determined that specific payment card information was targeted by an additional malware variant reported in June. This information included cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code.



Media reports of unusual payment card activity related to Wendy’s customers first surfaced in January 2016, with the retailer officially confirming it in February 2016. Subsequently, on June 9, 2016, the company reported that an additional malware variant had been identified and disabled.



The company worked with investigators to disable the malware involved in the first attack earlier this year. Soon after detecting the malware variant involved in the latest attack, Wendy’s said it identified a method of disabling it and thereafter disabled it in all franchisee restaurants where it was discovered. The investigation has confirmed that criminals used malware believed to have been effectively deployed on some Wendy's franchisee systems starting in late fall 2015.



Wendy’s is now offering customers who may have been affected information on how to protect their credit, as well as one year of complimentary fraud consultation and identity restoration services.



"We are committed to protecting our customers and keeping them informed,” said Todd Penegor, president and CEO of Wendy’s. “We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyberattacks involving some Wendy's restaurants. We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures."



Compromised third-party service provider credentials have been the root of a number of high-profile retailer security breaches in the past few years, including Target and Home Depot. This latest attack is another reminder that retailer security efforts have to cover the extended enterprise, including franchisees and any third-party partners. All it takes is one obscure vulnerability for a skilled hacker to gain network access and cause damage that can take millions of dollars and many years to fully remediate.