Wendy’s announced that an investigation began this week into the possibility of a data breach at several of its restaurant locations across the Midwest and East Coast, after a number of financial institutions reported suspicious activity on customer accounts.
“We began investigating immediately,” said spokesman Bob Bertini. A Wendy’s spokesperson detailed the situation further, saying, “Reports indicate that fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants. We’ve hired a cybersecurity firm and launched a comprehensive and active investigation that’s underway to try to determine the facts.” It is estimated the breaches occurred only a few weeks ago, near the end of 2015.
According to KrebsOnSecurity, this breach may be a side effect of the restaurant chain not updating to EMV payment systems. Major credit card carriers – American Express, Visa, and others – requested US retailers to transition to Europay Mastercard Visa payment systems due to their secure nature versus the current swipe payment method. Unfortunately, many companies still have not made the transition.
While the fast food chain chose not to comment on these particular findings, experts in the field had plenty to shed light on: “If it turns out there was a breach and that Wendy’s had not fully deployed EMV, this will likely be the first time the post-EMV liability shift financial reimbursement processes will play out on a large scale,” says Jim Huguelet, principal managing partner at the Huguelet Group LLC, a consulting firm that specializes in retail security. These findings, if true, could serve as a major warning for those retailers that have not begun the transition to EMV.
Overall, the timeline from breach discovery to investigation is fairly quick in this particular situation. And, while it was the financial sector connection to Wendy’s that discovered the breach, it’s comforting to know they were working together to try and prevent these otherwise debilitating cyber attacks, or at least slow them down.
Can we mark this down as the first major data breach of 2016? At this time we’re not really certain. We’ll likely find out about others in the coming weeks and months, but at least we can say Wendy’s seems to be handling it well.