Digital Defense: Cybersecurity and the Wendy’s Hack

By Barbara L. Vergetis Lundin, Assistant Editor


Fast food chain Wendy’s is the industry’s latest cyberattack victim. In fact, more than 1,000 of Wendy’s 6,500 locations across the United States were hit in a widespread credit/debit card hack.

It’s not an uncommon scenario: malware infects network; over a long period of time, said malware morphs, and spreads broadly and deeply throughout the network. It’s almost unavoidable these days, but a good digital defense can help.

“Cyberattacks are so advanced these days that if a hacker sets his sights on your network, you can bet he’ll get in,” said Ray Rothrock, CEO of RedSeal, a cybersecurity company. “Being prepared when they get in is the essence of resilience.”

Digital Defense

In these situations, time is of the essence.

Wendy’s detected unusual credit card activity in some of its restaurants as far back as February 2016, but didn’t confirm evidence of malware installed on some of its point-of-sale systems until May.  The malware has since been disabled.

“Generally, good segmentation and policies defining where information can flow on a network, and then confirming and enforcing it is good digital resilience practice,” Rothrock said.

He compares network security to building security and fire protection – and pins the responsibility squarely on the C-suite.

“Just like modern buildings with smoke detectors, burglar alarms and sprinkler systems, we acknowledge that a fire could break out or a bad guy can break in. The building was built with these concepts in mind,” Rothrock said. “Likewise, the same logic applies to your network. Have the prevention and detection systems in place, but also design, run, and govern your network with the goal of resilience. But you have to measure it to know it’s staying where you want it, and how you want it. This attitude starts in the C-suite. Engaging your senior management and giving them measures they understand matters in the short and long term.”

No doubt the vulnerable nature of cybersecurity is one of the things that keeps executives up at night. Networks, and network technology, are extremely complex and constantly changing. And, as much as you think you know the vulnerabilities and weaknesses of your own network, you may want to think again.

Rothrock has five good tips.

1. Focus on the network in its entirety as it is currently – not last year or in the manner it was intended, but as it actually is, including every entry point, every exit point, how every subnet interacts with and throughout the infrastructure, and all the undocumented assets and pathways.

2. Have the best network prevention and detection you can afford. Rothrock notes that this is necessary but it isn’t sufficient to prevent breaches.

“You must understand your network architecture, how it is built, how it operates, and what it looks like inside the firewall,” he said. “That’s the battleground, not the firewall.”

3. Set standards and measures that give you the intel to govern and manage your network, including prevention, detection, and resilience measures.

4. Be prepared for an incident by having technology in place to assist first responders, giving them the visibility and capability to make intelligent changes to shut down an incident before it comes a breach.

5. Have tested and implementable policies governing how your network operates. Check often and keep equipment and software upgraded.

“Just because you built it a few years ago and it looked fine then, today’s threats are truly sophisticated at hiding, moving around without notice, and simply taking over your infrastructure,” Rothrock warned.

Wendy’s Response

Fast Food

The Wendy’s Company President and CEO Todd Penegor said in a statement that the organization has conducted “a rigorous investigation” to understand what has happened and is committed to protecting and keeping customers informed.

To that end, Wendy’s has created a website where customers can go to see if their personal information could have been comprised, in addition to a toll-free customer assistance line that is available during normal business hours. The website lists each of the 1,025 locations that have been affected. Wendy’s will also provide any customer who used a credit or debit card at one of the affected restaurants during the relevant timeframe with a year of free fraud consultation and identity restoration services.

The investigation concluded that the malware was deployed on Wendy’s systems as far back as fall 2015. The company believes the hacks came as the result of franchisees’ remote access credentials being compromised. It does not believe, based on the ongoing investigation, that any company-operated restaurants were impacted.

Facing the Inevitable Truth

Wendy’s is currently evaluating and upgrading its data security measures. But the truth is, no company can protect itself against every attack.

“Even with the billions invested in the multitude of network security products, incidents are inevitable,” Rothrock conceded. “The goal is to stop the breach. Organizations need to be thinking about incident response, mitigation, recovery, and general resilience – the ability to stay in business and minimize damage to your customers during an incident. A resilient network can prevent an incident from becoming a breach, stopping attackers in their tracks, and keep the company in business.”