Some stories are hard to swallow. Take for instance, fast food restaurant chain Wendy’s, which announced in January of this year that it had suffered a breach of unknown magnitude. Wendy’s hired an investigative firm, and in May indicated that about 300 of its 5,800 locations had been affected. Two months later, it appears that statement was a bit off the mark. Now Wendy’s says that 1,025 of its restaurants were affected.
Wendy’s is on record saying the breach began in the fall of 2015, when malware was installed on a Point of Sales system used in a number of its locations, apparently through the use of compromised third-party vendor credentials. Customers who ate at the compromised locations soon found the actual costs for their meals supersized. The perpetrators used the pilfered information to begin draining debit accounts. The president of the National Association of Federal Credit Unions said the Wendy’s breach was hitting credit unions harder than they were hit during the breaches of Home Depot and Target.
The credit unions criticized Wendy’s for responding too slowly to the initial breach, which Wendy’s indicated may have occurred in October 2015. First Choice Federal Credit Union sued Wendy’s in a Federal Court in Pittsburgh, Pennsylvania, claiming the fast-food chain “refused to take steps to adequately protect its computer systems from intrusion.” The suit said that Wendy’s took nearly five months to stop the data breach and that “Wendy’s systematically failed to comply with industry standards and protect payment card and customer data.” The complaint continues…“As a result of Wendy’s data breach, plaintiff and class members have been forced to cancel and reissue payment cards, change or close accounts, notify customers that their cards were compromised, investigate claims of fraudulent activity, refund fraudulent charges, increase fraudulent monitoring on potentially impacted accounts, and take other steps to protect themselves and their customers.” In addition, a class action suit was filed in Florida, claiming in part that “many retailers, banks and card companies responded to recent breaches by adopting technology that helps make transactions more secure, (but) Wendy’s has acknowledged that it did not do so.”
The Credit Union National Association joined the Pennsylvania lawsuit, raising the stakes for Wendy’s even further. It will take a while for the litigation to play out, but it’s a fair assumption that the costs for Wendy’s associated with this breach will be substantial. If the judge agrees that Wendy’s should have both prepared and responded better, we will continue to move from “buyer beware” to buyer and seller beware in cyber jurisprudence.
By Tom Davis, SDI Cyber Risk Practice
July 12, 2016