A small Pennsylvania credit union has taken on fast food giant Wendy's, alleging in a new class-action suit that the burger purveyor's massive data breach earlier this year will cost card issuers hundreds of millions of dollars.
First Choice Federal Credit Union, which has $43 million in assets and 6,500 members, alleged that the breach was caused by malware on the company's point-of-sale systems that stole Track 1 and Track 2 data. That data normally includes cardholder names, primary account numbers, card expiration dates and sometimes PIN numbers, the complaint said. According to a Visa CAMS alert cited in the filing, the exposure window for the data breach ran from Oct. 26, 2015 through March 10, 2016.
“With that data, unknown perpetrators were able to make hundreds of thousands or even millions of fraudulent undetected purchases on credit and debit cards that had been issued by plaintiff and members of the class,” First Choice said in its complaint.
The breach resulted in the credit union and thousands of other card issuers having to cancel and reissue compromised cards, change or close accounts, notify cardholders about the compromise, investigate claims of fraudulent activity, increase fraud monitoring activities, as well as reimburse cardholders for fraudulent charges, according to First Choice, which is headquartered in New Castle, Penn.
“They also lost interest and transaction fees due to reduced card usage,” the credit union added. “Furthermore, debit and credit cards belonging to class members and plaintiff – as well as the account numbers on the face of the cards – were devalued.”
The suit also claims that, among other things, Wendy's failed to delete cardholder information from its systems after authorizing transactions, failed to protect against malware and viruses, didn't have an adequate firewall, didn't limit or track access to the card data, failed to disclose the breach in a timely manner and didn't convert to EMV. First Choice also alleged the POS systems at Wendy's were out of date.
The credit union said the hackers specifically targeted and drained debit accounts with large amounts of money in them, concentrating the damages and causing individual financial institutions to suffer losses greater than what was experienced after the Home Depot or Target data breaches.
In March, Home Depot agreed to a $28 million settlement with a class of up to 53 million consumers whose payment card or email data was stolen during that retailer's 2014 data breach. In that suit, hackers allegedly used a third-party vendor's credentials to install malware that stole names, card numbers, expiration dates and three-digit security codes. A card issuer suit against the company is still working its way through the court system.
Last December, Target Corporation agreed to pay financial institutions almost $40 million to settle a class-action suit related to its 2013 data breach. The point of access allegedly was a phishing email opened by an employee at Target's refrigeration vendor, which had direct access to the retailer's system via its construction management software.
At press time, Wendy's had not yet responded to a request for comment.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
