The Wendy’s data breach timeline continues to grow. On July 7, we learned that the scope of the Wendy’s breach was much larger than originally reported by the company.
Now we know that over 1,000 locations in the United States were impacted – more than 3.4 times the number of locations first announced. That means 18 percent of Wendy’s franchised locations in North America were impacted.
The organization confirmed cybercriminals stole valuable customer data, including cardholder names, credit or debit card numbers, expiration dates, cardholder verification values, and service codes.
Wendy’s stated in its press release that it believed the breach “resulted from service providers’ remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees’ point-of-sale systems.”
Wendy’s Data Breach: What We Know
There’s a lot we can learn from the way this story has developed over the past six months – using this particular incident as a new breach case study.
Wendy’s Data Breach Timeline
- Late Fall 2015: Wendy’s breached when malware is installed on point-of-sale (POS) system.
- January 2016: Payment industry contacts alert Wendy’s of potential breach.
- January 27, 2016: Wendy’s confirms it is investigating a potential breach, as first reported by cybercrime journalist Brian Krebs.
- February 9, 2016: Wendy’s confirms in a press release that cybersecurity experts had found malware on point-of-sale systems in “some” locations. No estimate of impacted Wendy’s locations was available.
- April 2016: Some financial institutions’ data supposedly indicates breached locations still compromising customer data (according to Krebsonsecurity.com May 2016 report)
- April 25, 2016: First Choice Federal Credit Union files a class action lawsuit against Wendy’s, claiming the organization had “refused to take steps to adequately protect its computer systems from intrusion.”
- May 11, 2016: As part of a press release covering first quarter 2016 results, Wendy’s reports breach impact fewer than 300 of approximately 5,500 of franchised North America Wendy’s restaurants. Malware reported eradicated at affected locations.
- Jun 9, 2016: Wendy’s announces variation of malware discovered on restaurants’ POS systems and says “the number of franchise restaurants impacted by these cybersecurity attacks is now expected to be considerably higher than the 300 restaurants already implicated.” Wendy’s also reports it has disabled the malware successfully in all franchise restaurants.
- Jul 7, 2016: Wendy’s released an updated list of breached locations– 1,025 total restaurants.
Let’s assume that late fall 2015 means the last day of fall in the northern hemisphere, December 21, 2015.
That means that from the time of the breach, it took 200 days – 54.8% of a year – for potentially impacted consumers to learn the full extent of the breach in terms of locations impacted (assuming no new information is uncovered).
Other items of note (again assuming the first breach stopped on December 21, 2015):
- It took 12 days after the initial breach occurred for the company to learn something was wrong – thanks to its payment industry contacts – and begin investigating
- The 2015 breach was first disclosed publicly 51 days after it occurred. It’s possible it took quite a bit longer because of the assumed breach date I’m using.
- Approximately 143 days were required for the company to be able to report the original malware was removed from its systems and for the media and general public to receive an estimate of the affected locations.
- In reality, it took approximately 172 days for the full extent of the breach to be accessed and addressed successfully (assuming no new malware or security issues are found).
Because of how this story unfolded – starting with an independent journalist receiving credible reports of the potential breach and continuing through the most recent announcement – we’re given a window into how long it can take for even a Fortune 1000 company to detect a breach, investigate it, assess its full scope, and report it.
How Wendy’s Data Breach Stacks Up
The timeframe doesn’t necessarily set Wendy’s apart. The company actually detected the incident – largely due to the reports from third parties – much faster than the average of 146 days.
So does that mean this was a best-case response scenario? I wouldn’t go that far.
Let’s compare this incident to the well-document timeline for Target’s breach in 2013, which also resulted from malware being installed on POS systems.
- It took 19 days for Target to detect the breach from the time it began on November 27, 2013. The 12 day detection period for Wendy’s beats that, but keep in mind we have to use an estimated breach date of December 21, 2015 since we don’t yet know the exact dates of the Wendy’s breach.
- However, it also took Target only 19 days to be able to confirm publicly it had removed the malware and stop the breach completely. It took Wendy’s 143 days to make such an announcement.
- It also took Target just 22 days from the breach’s occurrence for it to report the breach publicly. It took Wendy’s more than twice that amount of time – 51 days assuming the breach occurred on December 21, 2015.
Wendy’s Breach Unknowns and Predictions
Unlike the Target breach and the similar POS-related breach of Home Depot in 2014, we don’t yet know how long the malware was in place before detection or the total number of credit and debit cards impacted by the Wendy’s breach, making it difficult to know where this particular retail security incident will truly stack up.
Initial indications aren’t promising, however.
Dan Berger, CEO at the National Association of Federal Credit Unions, told Krebsonsecurity.com that CEOs of Ohio credit unions have said of the Wendy’s breach: “’It’s more concentrated and the amounts hitting compromised debit accounts is much higher that what they were hit with after Home Depot or Target.’”
I think it’s quite possible this will be the largest retail data breach of 2015 – a distinction currently held by the VTech breach in which more than 11.6 million records were compromised according to breachlevelindex.com.
But I don’t expect this to rival the Home Depot and Target data breaches in terms of data records stolen.
Statistics website Statista reports 50.27 million people visited Wendy’s in the U.S in autumn 2014 (the last time autumn data was reported).
If that number is consistent with the amount of consumers that visited Wendy’s locations in autumn 2015, the number of credit cards that could have been stolen should be substantially less than the 56 million credit cards comprised in the Home Depot breach and 40 million credit cards compromised in the Target breach.
That being said, right now we have no way of knowing how much this will cost Wendy’s in terms of breach-related expenses and customers lost.
Breach Consequences Wendy’s May Face
Here are some things that we do know in terms of breach consequences:
- 92 percent of organizations breached suffer commercial consequences. For example, Target incurred over $290 million in breach expenses, of which insurance covered only 31 percent.
- 64 percent of consumers surveyed worldwide say they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen
- As I recently reported on this blog, 24 percent of surveyed IT decision makers believe that over 5 percent of their organization’s IT budget has been lost on detecting and fixing breaches in their perimeter security
So in addition to financial expenses, Wendy’s can expect losses in terms of IT effectiveness and reputation. The big question for the company is going to be how quickly that security black eye can fade.
Perhaps most concerning for me is that we don’t yet know the new steps Wendy’s is taking to ensure customer data is not compromised again in the event of a breach.
In the July 7 press release, the company simply wrote, “We will continue to work diligently with our investigative team to apply what we have learned from these incidents and further strengthen our data security measures.”
No specifics about new tactics or security partnerships are provided.
And nowhere in my research did I find a mention that Wendy’s utilized encryption and key management to render stolen data unusable or will do so in the future.
I expect we will see an announcement about new security measures being taken in the near future, similar to the steps Home Depot took and publicly promoted following its breach.
The Bad Aftertaste of Perimeter Security
If Wendy’s relied too heavily on perimeter security, it’s not surprising. And it’s not alone.
Of the IT decision makers surveyed in our Data Security Confidence Index, 61 percent said they believe their organizations’ perimeter security systems were very effective at keeping unauthorized users out of their network.
We’ll see what else is added to the Wendy’s breach timeline in the coming weeks and months, but hopefully this will lead other retailers and organizations dealing with sensitive customer data to buy into what we’ve long asserted on this blog: breach prevention is dead.
Even if Wendy’s was executing perimeter security perfectly prior to the breach, cyber criminals still found a weak spot to exploit — service providers’ remote access credentials.
Better breach preparation is what’s needed today.
For more information about the impact of data breaches and retail data security, you may wish to check out:
- 2015 Data Breaches report from the Breach Level Index
- Data Security Confidence Index 2016 survey findings
- Data Breaches and Customer Loyalty survey findings
- Retail data security solutions offered by Gemalto