Dublin, Ohio-based, fast food chain Wendy's confirmed that hackers breached customer payment card data at 1,025 of its restaurants nationwide, a number considerably higher than originally believed.

Wendy's said it worked with forensic experts, federal law enforcement and card industry contacts and found that specific card information (cardholder name, card number, expiration date, cardholder verification value and service code) was targeted by malware. The investigation found that the malware first hit some franchisee systems as early as fall 2015.

“We are committed to protecting our customers and keeping them informed. We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyberattacks involving some Wendy's restaurants,” Todd Penegor, Wendy's president/CEO said. “We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures.”

The company also released a list of locations affected by the breach, searchable by city and state but did not specify how many customers took a hit.

Cybersecurity expert Brian Krebs first reported the breach in January. In mid-May, the company announced in its first quarter financial statement that the fraud only affected 5% of stores, fewer than 300 locations.

However, a number of sources in the fraud and banking community told Krebs there was no way the Wendy's breach only affected 5% of stores, given the volume of fraud the financial institutions traced back to Wendy's customers.

In June, the Michigan Credit Union League, its members and CUNA advocated for stronger merchants and card network accountability after the Wendy's restaurants breach forced several credit unions to cover associated costs. CUNA also announced it was also joining a data breach lawsuit against the restaurant chain.

According to CUNA, industry sources estimated the fraudulent charges have been even larger than in other recent data breaches such as those at Target and Home Depot, which combined cost credit unions more than $90 million.

Vicki McIntosh, president/CEO of the $21.5 million, Richmond, Mich.-based Belle River Community Credit Union, said her cooperative paid $8,000 in fraudulent charges. In addition, the credit union paid $1,000 in out-of-pocket costs to issue new cards because of the breach.

McIntosh, Michigan credit union leaders and the Michigan Credit Union League CEO Dave Adams called on lawmakers to require retailers to be held to the same federal data breach standards credit unions are subject to, and to enforce the laws currently in place.

“The current system is broken, retailers big and small experience a breach and months go by without any notice to credit unions of which cards are compromised, which results in a spike in fraud losses, and once again local credit unions are left holding the bag,” Adams said. “Again, we call on lawmakers and regulators to use their full authority to ensure both retailers and card network companies are doing their part to protect customer's information instead of leaving credit unions to continually shoulder the burden.”

Ondrej Krehel, founder/CEO of the New York City-based LIFARS, a digital forensics and cybersecurity intelligence firm, noted, “Malware distribution is becoming a commodity, and organized crime rings are moving latterly from target to target. No one is immune, and many times the same crime group penetrates multiple networks of various enterprises.”

NAFCU President/CEO Dan Berger issued the following statement in light of Wendy's announcement:

“It is an outrage that retailers continue to compromise the safety of consumers' sensitive financial information and our economy,” Berger said. “Congress must act to implement national data security standards for retailers. Without these standards, essentially every time consumers use their credit or debit card they are gambling to see when their data will be breached, not if.”

NAFCU said it was first financial trade organization to call for national data security standards for retailers, and emphasized it continues to push for legislative action on Capitol Hill.

NAFCU added it believes the bipartisan legislation S. 961, also known as the Data Security Act of 2015, which is currently before Congress, would set a national data security standard for retailers akin to the Gramm-Leach-Bliley Act and would hold retailers accountable for breaches occurring on their end while acknowledging financial institutions' existing adherence to GLBA standards.

The Wendy's chain includes about 6,500 franchise and company operated restaurants in the United States, 28 other countries and U.S. territories worldwide. Most of the U.S.-operated stores are franchises.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).