Where’s the Data Security? Wendy’s Data Breach Bigger than Originally Thought

Wendy’s Data Breach: Forget the beef, where’s the data security?

The Wendy’s data security breach, news of which first broke in January, is much worse than the fast-food company originally thought. Wendy’s first reported that the POS system breach impacted only about 5% — or approximately 300 – of its franchise-owned restaurants. However, after allegations by security investigator Brian Krebs that “a number of sources in the fraud and banking community” had told him that “there was no way the Wendy’s breach only affected five percent of stores — given the volume of fraud that the banks have traced back to Wendy’s customers,” Wendy’s finally admitted that its original figures were incorrect, and the number of locations compromised in the Wendy’s data breach is anticipated to be “considerably higher.”

Wendy's Data Breach: Forget the beef, where's the data security?

In its statement to Brian Krebs, Wendy’s takes great pains to point out that the data breach impacted only franchised locations, not company-owned restaurants, and involved hackers stealing legitimate login credentials from third-party vendors who service the POS systems at those locations. However, that hasn’t stopped First Choice Federal Credit Union from filing a class-action lawsuit against the Wendy’s corporation, alleging inadequate information security practices and demanding that the chain improve data security at all 6,000 of its locations, both franchised and company-owned.

Human Hacking May Be Behind Wendy’s Data Breach

Wendy’s alleges that its POS systems were breached after hackers stole legitimate login credentials from third-party service providers, which allowed the hackers to remotely access the POS systems. The majority of data breaches, including the notorious Anthem breach, can be traced back to stolen login credentials. Usually, these credentials are acquired using human hacking (aka social engineering) techniques such as phishing emails. This illustrates the importance of companies ensuring that all third-party vendors adhere to cyber security best practices, including training their employees to spot phishing emails and other social engineering techniques.

Restaurants and retailers do not have to stand by helplessly while their POS systems are compromised; there are numerous proactive measures that can be taken to secure POS systems. These include monitoring the system for suspicious activity, including login credentials being used in an unusual manner or the POS system communicating with unknown external sources. If Wendy’s had taken its cyber and data security seriously, this data breach could have been prevented. However, the company chose to place the responsibility for POS system security on the backs of its franchisees, then, when a breach occurred, point fingers at those franchisees and their service providers.

The restaurant industry, which is planning to switch from human order clerks to automated touch screens and kiosks, cannot afford to repeat the mistakes made by the healthcare industry when it transitioned to electronic records. It is imperative that the industry realize that customer data security is just as important as food contamination prevention and take proactive steps to protect its POS systems.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your POS system from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your restaurant protect its POS data and ensure compliance with PCI DSS.


Continuum GRC Clarifies What SSAE 16 Compliance Means

When contracting with a service provider, such as a data center, it is important for companies to ensure that their provider possesses the cyber security-related certifications and compliance standards that are applicable to the company’s industry. Data centers, as well as service providers who contract with data centers, sometimes claim to be “SSAE 16” certified. In an effort to cut through the noise and clear up some of the confusion regarding SSAE 16 compliance, Continuum GRC would like to clarify what SSAE 16 compliance is—and isn’t.

What is SSAE 16?

Continuum GRC Clarifies What SSAE 16 Compliance Means

SSAE 16 is an internationally recognized auditing standard for service organizations. It was developed by the American Institute of Certified Public Accountants (AICPA) and replaces the previous standard, SAS 70. SSAE 16 reporting helps service organizations comply with the requirements of Sarbanes Oxley (section 404) to demonstrate effective internal controls covering financial reporting. SSAE 16 applies to data centers that host systems that are involved in their clients’ financial reporting, as well as web hosting providers, ASPs, and ISPs who perform services that are relevant to their clients’ financial reporting.

There are three types of reports that can be issued: an SOC 1, an SOC 2, or an SOC 3, all of which address different controls. Performing an SSAE 16 audit and issuing an SOC report demonstrates a service provider’s commitment to maintaining a sound control environment that protects their clients’ data and confidential information.

Some service providers who use SSAE 16-compliant data centers imply that they are, somehow, SSAE 16 compliant by proxy. This is not the case; just because you use a provider who is SSAE 16 compliant does not mean that your company is SSAE compliant, and to imply such is black-hat marketing.

There is No Such Thing as SSAE 16 “Certification”

A Google search on “SSAE 16” reveals numerous instances of companies claiming to be “SSAE 16 Certified.” Organizations are compliant with SSAE 16; there is no such thing as becoming “SSAE certified.” SSAE 16 has to do with issuing SOC reports; no “certification” is awarded to anyone. Beware of any service provider that claims to possess an SSAE 16 “certification” or purports to be working towards getting one.

Need SSAE 16 Compliance Auditing Services?

If you have questions about SSAE 16 compliance, or if your company needs SSAE 16 auditing services, Continuum GRC can help! Continuum GRC provides both do-it-yourself and Cybervisor®-supported SSAE 16 modules to support SOC 1, SOC 2, and SOC 3 audit reports.

Continuum GRC’s primary purpose is to help organizations attain, maintain, and demonstrate compliance and information security excellence, in any jurisdiction. Continuum GRC specializes in IT security, risk, privacy, governance, cyberspace law and compliance leadership solutions and is fully dedicated to global success in these disciplines. Learn more about Continuum GRC and why Continuum GRC is Proactive Cyber Security™!


POS Data Security an Issue for Fast-Food Kiosks

POS Data Security?

The next time you buy a burger at McDonald’s or Wendy’s, a computer may be the one asking, “Would you like fries with that?” After decades of depending on human workers to take orders – and payments – American fast food chains are finally moving into the computer age, driven by rising minimum wages, a tightening labor market, a push for efficiency, and a growing number of internet-savvy consumers who prefer to interact with computers than human clerks.

Rise of the Machines: POS Data Security will still be a problem.

Discussion of this “Rise of the Machines” in the media has largely centered around the minimum wage and the displacement of low-skilled labor. Missing from the conversation has been any mention of point-of-sale (or POS) system security in these automated ordering systems – even though Wendy’s, which recently announced it will be rolling out ordering kiosks en masse, suffered a POS data security breach earlier this year. The breach compromised approximately 300 locations, went on for several months, and has resulted in a class-action lawsuit accusing the fast-food chain of inadequate data security procedures.

Automated ordering systems are not new. Regional convenience stores Wawa (headquartered near Philadelphia) and Sheetz (a Pittsburgh-area chain), both of which have extensive custom deli and hot foods menus, installed ordering touch screens over a decade ago. However, these systems, unlike the ones Wendy’s and other fast-food restaurants intend to install, only take food orders and do not process customer payments; customers get printed order slips to take to a cashier for payment. And, of course, gas stations, supermarkets, and some retailers have had self-checkout lanes for years.

The surprising thing is that large fast-food chains have taken so long to automate customer ordering and payments – and this is where the concern over POS data security lies.

In some ways, automation in the fast-food industry is similar to automation in the healthcare industry. As mentioned in previous blogs, among the reasons why the healthcare industry is so prone to cyber attacks is that it clung to paper records for years, and when it finally did automate, it did so practically overnight, without any employee training. Similarly, the majority of fast-food companies continued to use human workers long past the time they needed to. The push to automate fast-food ordering is fairly new but very strong; at least one major chain has expressed that it is in a hurry to implement automation in the wake of minimum wage increases on city and state levels.

Since the fast-food industry is known for razor-thin profit margins and aggressive cost-cutting, and making burgers – not POS data security – is its core competency, whether fast-food chains will take cyber security seriously or repeat the mistakes of the healthcare industry remains to be seen.

However, as the ransomware attacks and data breaches that have plagued the healthcare industry have proven, no industry can afford to take a laissez faire attitude toward cyber security, especially when installing completely new systems. The fast-food industry needs to be proactive as it makes the leap from human clerks to self-serve kiosks. Among the measures restaurants can take are:

  1. Do a review of your security policies and procedures to ensure PCI DSS compliance. Compliance with the PCI DSS is mandatory for any company that accepts payment cards, and procedures should always be reviewed when a new system is installed to ensure PCI DSS compliance is maintained. Here is a helpful primer on PCI DSS compliance basics.
  2. Be sure to purchase your new system from a reputable dealer. Since fast-food ordering kiosks are an industry that is about to explode, inevitably, shady dealers will pop up offering what appear to be fantastic deals on new systems – that turn out to have multiple security vulnerabilities. Make sure you’re buying your equipment from a known, reputable company.
  3. Make sure your new POS system can handle EMV technology, or “chip-enabled” cards. One of the ways hackers attack POS systems is by installing card skimmers that steal data off of the magnetic stripe old-style payment cards use. Chip-enabled cards eliminate this problem. However, not all payment cards are chip-enabled at this time, so it’s important not to leave self-serve kiosks completely unattended. Have at least some on-site staff available who are trained to spot card skimmers.
  4. If you offer free WiFi to your customers, do not set your POS terminals to access it. Otherwise, a hacker can come into your store and use the WiFi to get into your system.
  5. Monitor your POS terminals for suspicious activity. Are your terminals being accessed by or communicating with unknown external sources? Just like any other network, POS systems should be monitored for suspicious activity; had Wendy’s monitored its systems, the breach the company suffered may not have gone on for so long undetected.
  6. Have a comprehensive cyber security plan in place, to include training on POS data security for any employees who access the restaurant’s computers. Protecting your customers’ payment card data is as important as adhering to food safety and sanitary practices.

POS Data Security Doesn’t Have to Be a Stomachache!

Because the fast-food industry has depended on manual ordering processes for so long, the transition to automation may seem confusing or even overwhelming for restaurant owners. That’s why it’s a good idea for restaurants to enlist the services of a professional cyber security firm such as Continuum GRC. The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your POS system from security breaches.

Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs. Continuum GRC is proactive cyber security®. Call +1 (888) 896-6207 to discuss your organization’s cyber security needs and find out how we can help your restaurant protect its POS data and ensure compliance with PCI DSS.

Schedule some time with our Superheroes for a Free Assessment!