In January, The Wendy’s Co. said it was investigating possible credit card fraud at some of its restaurants.
The security breach has dogged the company ever since. Last week, the Dublin, Ohio-based quick-service operator said that the breach was far larger than it initially reported, with many more than 300 restaurants affected.
The incident has shed light on the way franchised restaurant operators handle point-of-sale systems and protect credit card data. Wendy’s placed much of the blame for the breach on third-party POS providers used by some of its franchisees.
Criminals stole credentials of workers employed by the POS providers, and then used those credentials to gain access to the franchisees’ point-of sale systems. They then installed malware that read the magnetic stripes on credit and debit cards, and sold the card information on the black market.
Criminals frequently gain access to a retailer’s POS system by hacking third-party providers with access to the system.
“It happens a lot,” said Joe Schorr, director of advanced security solutions at Bomgar, a computer security company. “It’s one of the main attack vectors to get into an environment. The company, whether it’s a hospital or a fast-food restaurant or a bank, even if they have their act together, they’re at the mercy of whether their vendors have their act together.
“The security posture of the vendor may be really, really weak.”
How hackers attack
Many retailers use third-party providers to run their point-of-sale systems. An average 89 vendors access a company’s network every week, according to Bomgar.
Compromised passwords and credentials are the most common strategy criminals use to access POS systems.
Darren Guccione, CEO of Keeper Security Inc., said that 63 percent of all cyber attacks are due to weak passwords or poor password management. While that percentage is declining, “It’s still the No. 1 casualty in terms of cyber attacks,” he said.
Retailers’ POS systems are like a central nervous system. Each store is a node in the system. Hackers try to install malware onto the centralized system to gain access to the POS terminals, where they can then intercept credit card information as it is swiped, Guccione said.
He also suspected that an attack the size of Wendy’s could grow.
“Because that type of malware is so pervasive, it doesn’t discriminate between one POS and another,” Guccione said.
Some franchise systems have added the complexity of allowing franchisees to shop for the lowest-price POS system that fits a franchisor’s criteria. As a result, many chains, especially older brands, could have multiple point-of-sale providers throughout the system, most of them from third-party providers.
That can make it more difficult to prevent security breaches and to investigate them because some POS systems could have weaker security protocols.
“As an attacker, the more complex the environment I’m operating in, the better it is for me,” Schorr of Bomgar said. “Having a single point-of-sale system gets a bad rap. But in most instances, having a good, well-designed point-of-sale system is much easier to defend.”
Franchisees might not have the resources to vet a POS provider, or some of the systems they’re purchasing might not be designed with security top of mind, Schorr said.
As it is, many franchised systems are moving toward a single point-of-sale system. Increasing demands for more technology inside restaurants, such as mobile ordering and payment, loyalty and kiosks, have led many franchisors to conclude that it would be easier to add these features with a single system.
Wendy’s is currently moving from multiple POS providers to a single system. The company hopes to install its Aloha point-of-sale system at all restaurants by the end of the year. The security breach did not affect that system, Wendy’s said.
Other chains, like Popeyes Louisiana Kitchen and Pizza Hut, are working toward a single point-of-sale system.
“We do need to get from nine POS systems down to one POS system,” Greg Creed, CEO of Pizza Hut parent company Yum! Brands Inc., said during an earnings call in April.
Improving the security of credit card data could push some of these efforts forward, giving franchise systems another reason to move in this direction.
“Franchisors should never allow franchisees to shop around for POS software systems or to allow integrations of any type performed outside a centralized control group,” said Carman Wenkoff, chief information officer for Subway, which has built and installed its own POS software and menu management system into 30,000 restaurants so far. “There is too much risk to the brand to allow that exposure.”
'We are in a cyber war'
To be sure, plenty of retailers that don’t use multiple POS systems have had serious credit card breaches.
And once criminals get into a system, it can be difficult to get them out. It’s not uncommon for a breach to dog a company for months before it is fully removed.
“Once you’ve discovered the attack, you have a race against time to get them out,” Guccione said. “And while you do that, they continue to steal information.”
Sometimes hackers alter malware to continue to steal information even as investigators remove the previous malware.
“Hackers are doing the same thing on the other side of the fence, trying to breach the company,” Guccione said.
“Malware is so difficult to detect,” he added. “Hackers are getting state sponsored and more sophisticated. Take your smartest developers and your smartest IT people, and then take 30,000 of them and put them into a building in a country sponsoring it just for the purposes of stealing corporate information and, of course, money.
“Make no mistake about it: We are absolutely in a cyber war.”
Experts suggest that companies work harder to protect passwords and ensure that third-party providers are also taking steps to protect credentials. Schorr suggests “shrinking the attack,” so there are fewer systems visible to the Internet and therefore fewer points of attack for criminals. That way, a company can point its defenses at a smaller attack surface, he said.
More importantly, companies should focus on protecting the information criminals want most: credit card data.
“It’s a different world,” Schorr said. “Restaurants used to worry about people trying to get KFC’s secret recipe. But that’s not what makes the money.
“It’s much easier to sell credit cards on the black market than it is to sell KFC’s secret recipe so someone can start a restaurant,” he said.
CORRECTION: June 14, 2016 This story has been updated to clarify a quote from Joe Schorr.