Wendy’s Data Breach: Forget the beef, where’s the data security?

The Wendy’s data security breach, news of which first broke in January, is much worse than the fast-food company originally thought. Wendy’s first reported that the POS system breach impacted only about 5% — or approximately 300 – of its franchise-owned restaurants. However, after allegations by security investigator Brian Krebs that “a number of sources in the fraud and banking community” had told him that “there was no way the Wendy’s breach only affected five percent of stores — given the volume of fraud that the banks have traced back to Wendy’s customers,” Wendy’s finally admitted that its original figures were incorrect, and the number of locations compromised in the Wendy’s data breach is anticipated to be “considerably higher.”

In its statement to Brian Krebs, Wendy’s takes great pains to point out that the data breach impacted only franchised locations, not company-owned restaurants, and involved hackers stealing legitimate login credentials from third-party vendors who service the POS systems at those locations. However, that hasn’t stopped First Choice Federal Credit Union from filing a class-action lawsuit against the Wendy’s corporation, alleging inadequate information security practices and demanding that the chain improve data security at all 6,000 of its locations, both franchised and company-owned.

Human Hacking May Be Behind Wendy’s Data Breach

Wendy’s alleges that its POS systems were breached after hackers stole legitimate login credentials from third-party service providers, which allowed the hackers to remotely access the POS systems. The majority of data breaches, including the notorious Anthem breach, can be traced back to stolen login credentials. Usually, these credentials are acquired using human hacking (aka social engineering) techniques such as phishing emails. This illustrates the importance of companies ensuring that all third-party vendors adhere to cyber security best practices, including training their employees to spot phishing emails and other social engineering techniques.

Restaurants and retailers do not have to stand by helplessly while their POS systems are compromised; there are numerous proactive measures that can be taken to secure POS systems. These include monitoring the system for suspicious activity, including login credentials being used in an unusual manner or the POS system communicating with unknown external sources. If Wendy’s had taken its cyber and data security seriously, this data breach could have been prevented. However, the company chose to place the responsibility for POS system security on the backs of its franchisees, then, when a breach occurred, point fingers at those franchisees and their service providers.

The restaurant industry, which is planning to switch from human order clerks to automated touch screens and kiosks, cannot afford to repeat the mistakes made by the healthcare industry when it transitioned to electronic records. It is imperative that the industry realize that customer data security is just as important as food contamination prevention and take proactive steps to protect its POS systems.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your POS system from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your restaurant protect its POS data and ensure compliance with PCI DSS.

[bpscheduler_booking_form]

POS Data Security?

The next time you buy a burger at McDonald’s or Wendy’s, a computer may be the one asking, “Would you like fries with that?” After decades of depending on human workers to take orders – and payments – American fast food chains are finally moving into the computer age, driven by rising minimum wages, a tightening labor market, a push for efficiency, and a growing number of internet-savvy consumers who prefer to interact with computers than human clerks.

Discussion of this “Rise of the Machines” in the media has largely centered around the minimum wage and the displacement of low-skilled labor. Missing from the conversation has been any mention of point-of-sale (or POS) system security in these automated ordering systems – even though Wendy’s, which recently announced it will be rolling out ordering kiosks en masse, suffered a POS data security breach earlier this year. The breach compromised approximately 300 locations, went on for several months, and has resulted in a class-action lawsuit accusing the fast-food chain of inadequate data security procedures.

Automated ordering systems are not new. Regional convenience stores Wawa (headquartered near Philadelphia) and Sheetz (a Pittsburgh-area chain), both of which have extensive custom deli and hot foods menus, installed ordering touch screens over a decade ago. However, these systems, unlike the ones Wendy’s and other fast-food restaurants intend to install, only take food orders and do not process customer payments; customers get printed order slips to take to a cashier for payment. And, of course, gas stations, supermarkets, and some retailers have had self-checkout lanes for years.

The surprising thing is that large fast-food chains have taken so long to automate customer ordering and payments – and this is where the concern over POS data security lies.

In some ways, automation in the fast-food industry is similar to automation in the healthcare industry. As mentioned in previous blogs, among the reasons why the healthcare industry is so prone to cyber attacks is that it clung to paper records for years, and when it finally did automate, it did so practically overnight, without any employee training. Similarly, the majority of fast-food companies continued to use human workers long past the time they needed to. The push to automate fast-food ordering is fairly new but very strong; at least one major chain has expressed that it is in a hurry to implement automation in the wake of minimum wage increases on city and state levels.

Since the fast-food industry is known for razor-thin profit margins and aggressive cost-cutting, and making burgers – not POS data security – is its core competency, whether fast-food chains will take cyber security seriously or repeat the mistakes of the healthcare industry remains to be seen.

However, as the ransomware attacks and data breaches that have plagued the healthcare industry have proven, no industry can afford to take a laissez faire attitude toward cyber security, especially when installing completely new systems. The fast-food industry needs to be proactive as it makes the leap from human clerks to self-serve kiosks. Among the measures restaurants can take are:

1. Do a review of your security policies and procedures to ensure PCI DSS compliance. Compliance with the PCI DSS is mandatory for any company that accepts payment cards, and procedures should always be reviewed when a new system is installed to ensure PCI DSS compliance is maintained. Here is a helpful primer on PCI DSS compliance basics.
2. Be sure to purchase your new system from a reputable dealer. Since fast-food ordering kiosks are an industry that is about to explode, inevitably, shady dealers will pop up offering what appear to be fantastic deals on new systems – that turn out to have multiple security vulnerabilities. Make sure you’re buying your equipment from a known, reputable company.
3. Make sure your new POS system can handle EMV technology, or “chip-enabled” cards. One of the ways hackers attack POS systems is by installing card skimmers that steal data off of the magnetic stripe old-style payment cards use. Chip-enabled cards eliminate this problem. However, not all payment cards are chip-enabled at this time, so it’s important not to leave self-serve kiosks completely unattended. Have at least some on-site staff available who are trained to spot card skimmers.
4. If you offer free WiFi to your customers, do not set your POS terminals to access it. Otherwise, a hacker can come into your store and use the WiFi to get into your system.
5. Monitor your POS terminals for suspicious activity. Are your terminals being accessed by or communicating with unknown external sources? Just like any other network, POS systems should be monitored for suspicious activity; had Wendy’s monitored its systems, the breach the company suffered may not have gone on for so long undetected.
6. Have a comprehensive cyber security plan in place, to include training on POS data security for any employees who access the restaurant’s computers. Protecting your customers’ payment card data is as important as adhering to food safety and sanitary practices.

POS Data Security Doesn’t Have to Be a Stomachache!

Because the fast-food industry has depended on manual ordering processes for so long, the transition to automation may seem confusing or even overwhelming for restaurant owners. That’s why it’s a good idea for restaurants to enlist the services of a professional cyber security firm such as Continuum GRC. The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your POS system from security breaches.

Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs. Continuum GRC is proactive cyber security®. Call +1 (888) 896-6207 to discuss your organization’s cyber security needs and find out how we can help your restaurant protect its POS data and ensure compliance with PCI DSS.

Schedule some time with our Superheroes for a Free Assessment!

Following a string of high-profile incidents that began earlier this year, the healthcare industry has been highly focused on preventing ransomware attacks. IoT security has also emerged as a growing concern. However, healthcare organizations (as well as businesses in other industries) cannot afford to ignore another growing threat: spear phishing.

Like regular phishing, spear phishing involves sending legitimate-looking but fraudulent emails asking users to provide sensitive information and/or initiate wire transfers. However, while regular phishing emails are sent out en masse to the general public, spear phishing emails are highly targeted and sent to specific, predetermined victims, usually a small group of people working at a specific company.

In a recent press release, the Federal Bureau of Investigation warned of a dramatic rise in a type of spear phishing known as a “CEO email scam” or a “business email compromise scam.” According to the FBI, from October 2013 to February 2016, law enforcement identified 17,642 victims, totaling $2.3 billion in losses. Since January 2015, reports of spear phishing have increased by 270%.

Main Line Health Attack Proves that Employee Data Is at Risk

In February 2016, while everyone’s attention was focused on the Hollywood Presbyterian ransomware attack, Main Line Health, which operates four hospitals near Philadelphia, was hit by a spear phishing scheme. Emails were sent to employees, purportedly from the organization’s CEO and CFO, requesting employee payroll and W2 information. While some employees immediately realized the emails were fraudulent and reported them to management, at least one employee was tricked into sending the requested information to the hacker. As a result, Main Line Health had to notify its employees that their personal information may have been compromised and offer them free credit counseling and monitoring services.

When healthcare organizations think about cyber security, they usually focus on patient data protection. However, the hackers who compromised Main Line Health were not seeking to infiltrate patient data, but employee data, and the attack may have been connected to a very large spear phishing scheme targeting HR and payroll professionals in various industries nationwide. It is suspected that the hackers running the scheme intended to use the stolen data to file fraudulent tax returns.

How to Protect Against Spear Phishing

Email spam filters can be adjusted to recognize emails from suspicious sources and block them before they reach employees’ inboxes. However, some phishing emails will undoubtedly still get through. The best way to protect against spear phishing is to teach employees how to recognize the telltale signs of a spear phishing email, such as:

• The salutation and/or the closing seem odd. For example, management normally refers to you as “William” or “Mr. Doe,” but the email is addressed to “Bill.” In the case of Main Line Health, the closing is what alerted one employee to the fraud; the email message, which purported to be from the CEO, was signed “John Lynch,” but the employee knew that the company’s CEO goes by “Jack.”
• The request is unusual and/or does not follow normal company protocol. For example, the email is asking for employee W2 information, but requests like this are not normally handled through email or by the employee who received the request, or the person who allegedly sent the email has never requested similar information before, or it’s unusual for the person who allegedly sent the email to directly contact that particular employee.
• The wording and tone of the email are stilted. Many spear phishing attacks are launched by foreign hackers who are not fluent in English; the email may be riddled with punctuation, spelling, or grammar errors, be worded oddly, or use British spelling. The wording may also be overly formal – or overly casual.
• The domain the email was sent from is incorrect. Instead of “yourcompany.com,” the email may have been sent from “yourcompany.com-xyz.com” or some other derivative.

Employees should be taught that if something seems “off” about an email, they should consult a supervisor or IT security personnel before responding to it. Additionally, as part of your organization’s overall cyber security plan, a firm protocol should be established regarding requests for sensitive employee and patient data, and employees should be trained not to release sensitive data unless the protocol is followed.

In addition to using email spam filters to intercept suspicious messages, training employees to spot spear phishing emails, and implementing a solid security plan that includes protocol for the release of sensitive data, it’s a good idea for healthcare facilities to enlist the services of a professional cyber security firm such as Continuum GRC. The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your healthcare organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 or book some time with us to discuss your organization’s cyber security needs and find out how we can help you protect your facility’s employee and patient data.

[bpscheduler_booking_form]