Editor’s pick: Originally published on Jan. 28.
Here is the bad news: Your burger may have come with a side of cyber theft. Wendy’s, the giant fast food retailer, apparently has suffered a credit card breach. And your credit card may be primed for compromise.
First, as regards the breach itself, few details are known. Security blogger Brian Krebs has reported this statement from Wendy’s spokesman Bob Bertini: “We have received this month from our payment industry contacts reports of unusual activity involving payment cards at some of our restaurant locations. Reports indicate that fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants. We’ve hired a cybersecurity firm and launched a comprehensive and active investigation that’s underway to try to determine the facts.”
The implication: apparently Wendy’s has suffered a breach of the same kind that impacted Home Depot and Target. In those latter two cases, hundreds of millions of credit card numbers were stolen. No one is currently guessing how many cards will be involved in the breach at Wendy’s, a business where many purchases are with cash.
Exactly what happened at Wendy’s? Wendy’s may not be telling, but experts are ready with guesses.
“Cyber criminals continue to feast on point of sale devices," said Travis Smith, researcher at security firm Tripwire. "The primary function of these computers and networks are to process customer orders as quickly as possible. Security is often an afterthought.”
Chenxi Wang, Twistlock chief strategy officer, offered her theory. “Wendy's breach is likely a compromise in their point-of-sale systems," Wang said. "These systems often still run obsolete -- hence, vulnerable -- software. Many in the field still run Windows XP and have no plans to upgrade. It's likely that criminals found a way to implant data-stealing malware in Wendy's POS systems to collect payment card info.”
“The breach at Wendy’s is yet another example of how effective and difficult-to-detect today’s cyber threats can be," said Jeff Hill, channel marketing manager for STEALTHbits Technologies. "Like many other breaches, it was discovered not by the company’s internal security team, but rather an outside entity, in this case, credit card fraud algorithms that detected the anomalous use of the card numbers after they’d been stolen. The bottom line is that it’s extraordinarily difficult to detect a well-designed attack with a patient criminal at the controls.”
Your money question is blunter - and easier to answer. What should you do if you have used a credit card at Wendy’s? The company has said that the apparent breach occurred “late last year.” Did you plop down plastic in that period? Monitor your statement for any fraudulent transactions is the advice from Wendy’s. Dispute such charges quickly and federal law says you will not be held liable. Protections are almost as good for debit card users - but you do need to act fast. Also, there may be hassles in getting monies that had been withdrawn from your account restored. Keep nagging your card issuer and probably you will be fine.