The Ohio based fast food chain Wendy’s experienced a data breach late last year and early this year that is affecting credit unions and their members. Wendy’s has been investigating the issue for some time now, but the investigation was not disclosed to the public until late January and information is still limited. Here is a brief summary of the information Oak Tree has gathered on the breach so far:
The data breach comes from malware that was found on the POS systems at some locations. Wendy’s has not released which of its 6,000 locations worldwide specifically, or how many restaurant customers have been affected. This malware was planted on the POS systems to gather credit card numbers, and speculation from credit unions suggests that the breach occurred late last year into January in the Midwest and East Coast areas, based on the fraudulent charges their members are encountering after having used their cards at a Wendy’s location. This has not been confirmed in detail by the Wendy’s corporation, who has a history of this malware issue popping up in its restaurant chain since 2014, where the first malware was reported in Michigan.
Continued speculation suggests that this breach will have five to ten times a greater impact of loss on credit unions and their members than the Target and Home Depot data breaches. The 2013 Target breach had losses of approximately 40 million and the 2014 Home Depot breach had losses of about 56 million. Imagine the impact a breach of this scale will have. The breach seems targeted and has been draining debit accounts with large amounts of assets in them, but it goes without saying that any consumers who have swiped their card at any of the mysterious restaurant locations could be at risk of their information being unsecure. One credit union has reported its fraud losses already having reached half of its expected year amount, just in the month of January alone. This credit union reviewed the accounts being fraudulently charged and discovered they had all swiped their cards at a Wendy’s location in the last quarter of 2015.
Credit unions are currently at a loss of information as well. Wendy’s has not confirmed the size or scope of this breach, making it difficult for credit unions to prepare for how to protect their members. Without knowing where or how many card numbers were affected, or if the malware is still intact or has spread to other locations, credit unions don’t know whether to issue new cards to their members who have dined at Wendy’s for fear that if the consumer returns with the new card number, they will be attacked again.
Store data breaches are becoming a seeming commonality in today’s world with the list of attacked chains growing each year. Consumers are beginning to take action of their own, and that has already begun in the case of this current breach. A Wendy’s restaurant diner in Florida filed a class action lawsuit in federal court back in January against the fast food corporation for $600 in fraudulent charges after the plaintiff used his card at one of the unknowingly hacked locations. This suit is one of the first that targets a retailer for not complying with the EMV chip scanner regulation that came into effect October of last year.
- Krebs, Brian. "Credit Unions Feeling Pinch in Wendy`s Breach." Krebs on Security. N.P., 2 March 2016. Web. 14 March 2016.
- Malone, JD. "Wendy’s data breach among worst, chief of credit-union group says." The Columbus Dispatch. GateHouse Media, Inc., 3 March 2016. Web. 14 March 2016.
- Urrico, Roy. "Wendy’s Discovers POS System Malware." Credit Union Times. ALM Media, LLC, 10 Feb. 2016. Web. 14 March 2016.