No, we aren't talking about your burger-inhaling operator passing out on the job, leaving your precious IT assets unattended. You've probably guessed that we're referring to the latest Wendy's data breach announcement: on June 9th, the international fast food chain disclosed that its January 2016 security compromise was, in fact, a lot worse than originally stated—potentially eclipsing the Home Depot and Target data breaches.
As it turns out, the actual number of affected franchises is considerably higher than 5 percent—the original figure announced—though Wendy's has yet to disclose exactly how much. Joined by multiple credit unions and banks, Ex-Wendy's fans are putting their square burgers down and consolidating multiple class action lawsuits against the world's third largest hamburger fast food chain. And it gets beefier: credit unions are reporting volumes of Wendy's-related fraud incidents that outnumber those of Home Depot and Target.
Wendy's is just the latest casualty in a stream of high profile compromises involving point-of-sale (PoS) skimmers and RAM-scraping malware. Unfortunately, many of these systems are breached by exploiting easy-to-remediate security flaws like unpatched/outdated software and misconfigurations. It's hard to predict how many leading fast food chains are vulnerable, since most individual restaurants are independently owned and operated, but analyzing their respective brands' resilience postures may help reveal security flaws downstream.
The undisputed king of fast food chains scores low in the cyber risk department, especially when it comes to email and website perimeter security risks: lack of sitewide SSL, DMARC, and DNSSEC, to name a few.
It's may only be a matter of time before cyber attackers have it their way with this global fast food chain. A low CEO approval rating coupled with email and website perimeter security gaps make for a weak resilience posture.
No discussion about burger franchises would be complete without West Coast favorite In-N-Out burger. Unfortunately, the popular chain scores a low CSTAR score of 266—mostly due to existing email and website security risks.
Top-down Security Patterns
Of course, fast food comes in all forms, not just burgers and fries. As it turns out, KFC, Taco Bell, and Pizza Hut—arguably the three biggest non-hamburger fast food brands—belong to the same parent corporation, Yum!, Inc., formerly Tricon Global Restaurants, Inc. Let's take a look at how they measure in terms of their CSTAR ratings.
Though it scores higher than the aforementioned three, the world's second largest fast food chain possesses various website perimeter security risks and a poor CEO approval rating to boot.
Taco Bell also falls within the average range when it comes to its CSTAR rating—again, scoring better than its hamburger counterparts, but clearly not thinking outside the bun security-wise.
Pizza Hut—also owned by Yum!—scores high marks when it comes to its CSTAR rating. This should come as a relief to football fans, as the pizza chain sold a record-breaking $12 million in food through digital platforms on Super Bowl Sunday.
Staying on top of vulnerabilities in a PoS-based retail infrastructure requires a multitude of vigilant measures such as continuously detecting system/software vulnerabilities and staying on top of updates and patches. Remote administration utilities like pcAnywhere and similar remote desktop tools are commonly used as entry points for attackers and should be removed from externally-facing systems. Last but not least, effective integrity monitoring ensures that critical files and configurations to PoS machines and supporting systems are always in a secure state. UpGuard provides these capabilities and more in a continuous security platform that monitors and validates your entire infrastructure.
So, can fast food be bad for cybersecurity? The answer is a resounding yes—but so is filling up at the gas station, checking out at the grocery store, getting cash at the ATM, and just about any other digital transaction transpiring on a daily basis. UpGuard's resilience platform ensures that all critical systems used in handling customer data—including PoS systems—are free from vulnerabilities and security gaps that could lead to data breaches.