On July 8th, it was reported that fast-food chain Wendy’s confirmed 1,025 of their locations – or nearly 20% of their U.S. stores – were affected by the massive data breach that ran from fall of 2015 until June of this year. This announcement marks a significant expansion in affected stores, as the company had previously stated fewer than 300 locations were impacted.
The costs surrounding this particular breach are still unknown, but it has been reported that the sheer volume is greater than the widely publicized Target or Home Depot breaches. Reactions from credit unions around the country reveal that the Wendy’s breach was conducted by very savvy hackers – which could be part of why Wendy’s originally thought that the fraud due to the breach was only impacting 5% of their stores, as reported in their first quarter financials.
“It’s more concentrated and the amounts hitting compromised debit accounts is much higher that what they were hit with after Home Depot or Target,” said B. Dan Berger, CEO at the National Association of Federal Credit Unions. “It seems to have been [the work of] a sophisticated group, in terms of the timing and the accounts they targeted. They were targeting and draining debit accounts with lots of money in them.”
The Role of Third Party Vendors
Wendy’s now has published a page that breaks down the breached restaurant locations by state, and is citing the original breach culprit as a third-party service provider that had remote access to Wendy’s cash registers. This scenario sounds a bit like the Target breach, where the hack into Target’s point-of-sale (cash register) system was found to be caused by credentials stolen by a third-party vendor who worked at several store locations.
Retailers often use third-party vendors to manage their point-of-sale (POS) systems, who then remotely log into the network. Cyber thieves have a proven successful track record of hacking into third-party vendors, guessing at usernames and passwords, and bingo!, gaining access to a treasure trove of customer card data stored within the POS system of the now-breached retailer.
The Role of Passwords
With daily reports of breaches resulting from malware, ransomsware, or any other type of security breach that involves stolen credit card information, could it be that using strong passwords are really that vital to keeping a network secure?
Take a look at the recent breaches of Twitter, LinkedIn, Myspace and Tumblr, with 642 million accounts compromised plus the additional 1 billion-plus passwords that are already out on the black market – and it’s clear that weak passwords aren’t just a minor problem, it’s an epidemic.
Users prefer creating easily remembered passwords to avoid any inconvenience or login frustrations, but unless steps are taken to develop strong authentication, we will continue to see breaches at the top of daily news reports.
Whatever the excuse for an easy password, this act actually makes a business and their clients more vulnerable to a breach. Simple yet effective habits can quickly be adopted to develop a stronger security strategy.
On to the Next Hack Tactic – Social Engineering
Hackers seem to be one step ahead of security trends, so even as we see organizations adapt security protocols that include strong usernames and passwords, cyber thieves have already discovered how to exploit the one weakness that exists in every organization – humans.
Social engineers, as these hackers are called, use a variety of methods involving emails, phone calls, and social media to manipulate employees at the targeted organization into providing them access to sensitive information.
This “opening of the backdoor for the attackers” social engineering tactic proved to be highly successful in the recent CiCi’s Pizza data breach, as cybercriminals simply called the establishments posing as tech support technicians for various point-of-sale vendors and from there were able to install a POS malware strain that affected 100 of CiCi’s 500 locations across the U.S.
Higher Stakes and a Bigger Mess to Clean Up
According to the 2016 annual benchmark study conducted by the Ponemon Institute, the average total cost to resolve a data breach increased by 7% since the 2013 study, to a staggering $7.01 million. The average cost for each lost or stolen record containing sensitive information increased by 2%, from $217 to $221 per record.
In the aftermath of a large data breach, as damages are tallied, lawsuits against the breached company are now becoming part of the mess to clean up – and the overall costs continue to soar to an all-time high.
Add to those costs a potential class action lawsuit like the one filed against Wendy’s – alleging a five-month long data breach could have been prevented if the company had acted faster – and the cost are multiplies by the millions. And as frustrating, as detailed by Brian Krebs, is the fact people continue to visit the hacked locations but with their new cards – meaning that the banks and credit unions must then reissue another card. No fault of the patron, of course, because they are not aware that the breach is still going on.
“One additional factor that makes it nearly impossible for banks and credit unions to clean up fraudulent card charges after a breach is the unassuming behavior of a habitual patron. People who are in the habit of regularly eating at or patronizing a company that is in the midst of responding to a data breach pose a frustrating challenge for smaller banks and credit unions that fight card fraud mainly by issuing customers a new card. Not long after a new card is shipped, these customers turn around and unwittingly re-compromise their cards, prompting institutions to weigh the costs of continuously re-issuing versus the chances that the cards will be sold in the underground and used for fraud.”
Protecting your POS Means Rendering Card Data Useless
Developing security measures that adapt strong passwords and protect against social engineering scams are important steps for any organization to take in order to protect their customers and themselves from fraud. However ANY business accepting credit card payments also needs to invest in security technologies – like Bluefin’s PCI-validated Point-to-Point Encryption (P2PE) and Tokenization – to prevent any clear-text cardholder data from being in the POS. This is the data that the bad guys are after. This is called “devaluing the data” – or essentially removing the treasure from the treasure chest. You can learn more about this concept through the PCI’s infographic on strategies to render card data useless.