As KrebsonSecurity noticed yesterday with his post¹. Credit Unions are seeing fraudulent transaction on Debit cards that were used at Wendy’s
I created this image from Engadget’s² image of a drive-thru sign at a Wendy’s
So it is no longer just “Wendy’s”
It is “Hacked Wendy’s” or “Pwned Wendy’s” depending on which language you are using.
So what happened? – Oh the usual.
Security? updating your devices? check for malware – test and pentest your network? We do just enough to pass PCI compliance – but its ok we are doing fine – nothing is happening.
Until the world is actually on fire, then we “HAVE NO COMMENT”.
from krebsonSecurity post:
Wendy’s declined to comment for this story.
Even if thieves don’t know the PIN assigned to a given debit card, very often banks and credit unions will let customers call in and change their PIN using automated systems that ask the caller to verify the cardholder’s identity by keying in static identifiers, like Social Security numbers, dates of birth and the card’s expiration date.
Ok, that is a bit sensational and ambulance chasing. But it does serve a purpose, every so often we need to remind ourselves that the disaster recovery and extra testing on the network is there for a reason.
So please forward this message to anyone who wants to listen:
It has been almost a year and my post is a good reminder that standard “Risk Management has failed us”³
UPDATE on 07/08/16: http://krebsonsecurity.com/2016/07/1025-wendys-locations-hit-in-card-breach/
So 1025 locations were hit.
Wendy’s is blaming the breach on a 3rd party that serves franchise locations.
Well, if you ask me… it does not matter if it is a third party, it is still your breach and you are at fault.
Also now lawsuits are flying into Wendy’s – you can go to Krebs on Security blog to find the details.
Contact us to discuss or call me 314-504-3974 – text is good too
Tony Zafiropoulos – owner of fixvirus.com and oversitesentry.com