A Michigan credit union's bold move to block members from using their debit and credit cards at all Wendy's locations following a malware attack won't do much to stop fraud. But it does send a strong message that the financial institution doesn't think the fast-food chain has done enough in its efforts to protect its customers.
On Oct. 6, Jackson, Mich.-based American 1 Credit Union noted in a blog post that it did not believe Wendy's had successfully removed all the point-of-sale malware that infected its system in the fall of 2015, resulting in the compromise of POS devices at more than 1,000 Wendy's locations nationwide.
"Until we are confident that our members' cards are no longer at risk when used at Wendy's, we will continue declining the transactions."
"While Wendy's has reported that the malware responsible for the cyberattacks has been disabled at all franchise locations affected by the data breach, community members have still been reporting fraudulent activity on their accounts, even after reissuance of their debit or credit card," American 1 says in its blog post. "Therefore, in order to protect member accounts, the credit union made the decision to decline all credit and debit card transactions at any Wendy's location until further notice."
In May, Wendy's said it believed that fewer than 300 of its franchises had been impacted by the attack. Then in July, the fast-food chain revised that number to more than 1,000 and said its POS systems were compromised by two separate waves of malware attacks.
American 1 claims more than 18,000 of its members' cards have been compromised because of the Wendy's hack. What's more, the credit union says its fraud losses linked to the Wendy's breach now equal losses stemming from the 2014 Home Depot breach.
"During the Home Depot cyberattacks, over 4,200 cards were reissued," American 1 says. "Of the stolen funds returned to members' accounts, only 11 percent of that amount was covered by insurance, with American 1 paying for the remaining 89 percent of losses out of pocket. ... Until we are confident that our members' cards are no longer at risk when used at Wendy's, we will continue declining the transactions."
More About PR Than Security
The credit union's response to the Wendy's breach is an interesting PR move, but not one that's likely to have much impact on reducing fraud unless its members actually stop trying to use their cards at Wendy's. That's because once a card is swiped at a POS, even if the transaction is declined, if the POS system or network is infected, the card number and details can still be compromised.
Still, I give the Michigan financial institution credit for making a bold statement and bringing valid concerns about POS security to the public's attention.
Wendy's didn't respond to my request for comment, so I can't confirm any of the credit union's claims that the restaurant chain still has an active breach or has been breached again.
I did, however, hear from one Midwest card issuer and two other sources who claimed that fraud linked to Wendy's has been ongoing since January, and that it's very likely that the breach has not been contained.
On the other hand, two other issuers - one in the Midwest and the other on the West Coast - tell me that fraud linked to Wendy's is no longer impacting their customers.
But former bank CISO, David Shroyer, who now works as managing director of information and cybersecurity for Queen Associates, an IT consultancy and staffing agency, tells me it's possible that Wendy's rid its system of the initial malware but failed to close all the doors hackers used to infect the system, leaving the network open to attack. Another possibility is that Wendy's contained the breach and removed all of the malware but inadvertently reinfected the network by restoring systems with corrupt backup files.
"If you don't get it all out, you're always going to be infected," Shroyer says. "You have to make sure you're scrubbing all of your environments. Otherwise, you're going to reinfect yourself. That means making sure you're cleaning up the entire disaster-recovery environment. If that backup drive is infected, you reinfect yourself when you load the backups. ... This is where air-gapping and scanning your DR come into play. The DR needs to be scanned for the same types of threats that happen in my production department. And never back up until that's clean."
If you work for a card issuer that's still seeing fraud linked to Wendy's, I encourage you to post a comment below or reach out to me directly at firstname.lastname@example.org.
I'd also like to get your reaction to American 1's decision to block all card payments at Wendy's. Do you think other issuers should make similar announcements if they believe a particular retailer has failed to contain a breach?