Wendy’s Data Breach Losses Eclipse Target and Home Depot Incidents
At least 1,025 Wendy’s locations were hit by one of the biggest malware attacks in history to compromise customer credit and debit cards. Wendy’s initially estimated 300 franchises had been affected before announcing that a second cyber attack engulfed over 1,000 locations. The breach dates back to the Fall of 2015, and was executed with highly sophisticated hacking that was difficult to detect for the better part of six months; this gave the hackers plenty of time to spread financial damage.
Wendy’s ultimately blamed an unnamed third-party point-of-sale (POS) system for the data breach. It’s not uncommon for hackers to look for back doors into payment processors by targeting third party software and services. The malware remotely accessed Wendy’s payment processors and compromised credit and debit cards before it was detected, disabled and removed. Customer cardholder names, credit and debit card numbers, cardholder verification and codes were just some of the sensitive data stolen.
The incident is complicated even more by the fact that many of the franchises were not up-to-date with the latest EMV regulations. The new rules require retailers and merchants to accept EMV chips to enhance security for credit and debit card transactions; these rules weren’t in effect when Target and Home Depot were hacked. Without an EMV reader in place, Wendy’s may absorb more of the liability that banks formerly took on in former breaches.
Some banks have already claimed Wendy’s as guilty of neglect. Reports show First Choice Federal Credit Union filed a suit against Wendy’s, arguing it knew about the attack for months as customers continued using compromised POS systems. They claim Wendy’s could have minimized the risk and financial fallout. The total loss of Wendy’s data breach is predicted to be greater than Target’s $148 million breach in 2014, and Home Depot’s attack that resulted in a $25 million bank settlement.
To minimize ongoing financial risk, Wendy’s customers should keep a diligent eye on their accounts and bank statements, and immediately contact their financial providers about any suspicious activity. Wendy’s also released an online breakdown of which franchises were affected, and in which states. Customers can check to see if their locations are on the list to narrow down the likelihood of being targeted. But regardless of what franchises were impacted, all Wendy’s customers should still monitor their finances as a precaution.
Anyone potentially affected by the Wendy’s breach should sign-up for an identity theft service to closely monitor their credit and financial activity. Also keep in mind that not all merchants and retailers have updated their systems, or they continue to rely on outdated operating systems. For example, The Street reported that it’s not unusual for even large corporations to run their POS on obsolete software with no plans to upgrade it. This makes it all too easy for hackers to infiltrate systems undetected and steal financial data. Whether you’re a Wendy’s customer or not, monitoring for identity theft is crucial in the age of POS systems.
Comments are closed.