The Wendy’s Breach – Closing the Window on Malware and Hidden Threats

Back in May Wendy’s announced they had been hit by a breach involving malware on the point of sale (POS) system. Originally thought to have impacted less than 300 of the fast-food chain’s locations, last week the company acknowledged that that breach was much worse than originally thought with 1,025 restaurants impacted. 

Wendy’s is blaming the breach on an unnamed third-party service provider stating that the breach resulted from the vendor’s “remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees’ point-of-sale systems.” The malware targeted the payment card data including cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code. 

The company states it became aware of the issue in February when franchises first started reporting unusual payment card activity, but a forensics investigation reveals the malware was first inserted in the fall of 2015. Given how long it took to discover the extent of the breach, there’s no telling if they have closed the virtual drive-thru window on the hackers helping themselves to customer data.

Why wasn’t the breach discovered before hundreds of Wendy’s locations were compromised?

Hackers are getting increasing more sophisticated. It is no longer enough to solely rely on real-time defense systems like anti-virus and perimeter defenses – time and time again hackers have demonstrated these systems can be penetrated. Companies need to start acknowledging that their systems will be targeted, and despite existing defenses, will be breached. The key to discovering malware and hidden persistent compromises is to actively hunt for them. Persistent compromises, like the one at Wendy’s, rely on the ability to remain hidden for months, even years, while they quietly and effectively penetrate your systems to steal your data and IP. The longer they can maintain a foothold in your systems, the more lucrative it is for them.

Active threat hunting needs to become part of modern cyber defenses to detect compromises and stop unauthorized access. While threat hunting includes some activities that defenders have historically used such as log analysis and incident response techniques, there are new technologies that can assist you with the hunt process to improve the speed and efficacy of your hunt program. These tools automate the search for threats and empower your internal security teams to hunt without specialized knowledge. And the faster you can identify and remove a threat, the less harm it can do.

The only way to get ahead of today’s cyberattacks is to change our security mindset and assume we will be breached. Based on our experience, anyone who claims they have never been breached has simply never looked hard enough.

Learn how Infocyte can help your organization implement a threat hunting program using automated tools to identity adversaries already on your network.

Chris Gerritz

Infocyte, Inc., 110 East Houston Street; Floor 7, San Antonio, TX, 78205