Wendy’s security woes continue

The Wendy's Co., which was first reported to have suffered a POS breach in January 2016, is still discovering evidence of hacking attacks.



The fast food chain announced that additional malicious cyber activity has recently been discovered in some franchise-operated restaurants. Wendy’s has disabled the malware where it has been detected.



This latest action is the result of the company's continuing investigation into unusual credit card activity at some stores. Reports indicate that payment cards used legitimately at Wendy's may have been used fraudulently elsewhere.



Based on the preliminary findings of its previously disclosed investigation, the company reported on May 11 that malware had been discovered on the point of POS system at fewer than 300 franchised North America Wendy's restaurants. An additional 50 franchise restaurants were also suspected of experiencing, or had been found to have, other cybersecurity issues. As a result of these issues, the retailer directed its investigator to continue to investigate.



In this continued investigation, Wendy’s has recently discovered a variant of the malware used in the original breach. The attackers used a remote access tool to target a POS system that, as of the May 11 announcement, the company believed had not been affected. This malware has been discovered on some franchise stores’' POS systems, and the number of franchise restaurants impacted by these cybersecurity attacks is now expected to be “considerably higher” than the 300 locations already implicated.



To date, Wendy’s says there has been no indication in the ongoing investigation that any company-operated restaurants were impacted by this activity. According to the retailer, many franchisees and operators contract with third-party service providers to maintain and support their POS systems. The company believes this series of cybersecurity attacks resulted from certain service providers' remote access credentials being compromised, allowing access to the POS system in certain franchise restaurants serviced by those providers.



“The malware used by attackers is highly sophisticated in nature and extremely difficult to detect,” the retailer said in a statement. “Upon detecting the new variant of malware in recent days, the company has already disabled it in all franchise restaurants where it has been discovered, and the company continues to work aggressively with its experts and federal law enforcement to continue its investigation.”



Gavin Waugh, VP and treasurer at The Wendy’s Co., told the Krebs on Security blog that installation of EMV-compliant, chip-based card readers would not have necessarily stopped these attacks.



“I don’t think that would have solved this problem, and it’s a bit of a misnomer,” Waugh said. “I think it makes it harder [for the attackers], but I don’t think it makes it impossible.”



Waugh would not comment on whether Wendy’s has a timetable to deploy EMV-compliant POS systems in its stores.