Settlement reached in Wendy's data breach case (Image: Shutterstock).
After two and half years of litigation and three rounds of mediation, a group of credit unions and credit union leagues has reached a settlement agreement with fast food giant Wendy's after the company's 2015-2016 data breach.
The settlement requires Wendy's to pay $50 million to a settlement fund set up to compensate financial institutions and pay attorney fees. Subject to court approval, Wendy's will also pay a $7,500 "service award" to each deposed plaintiff, plus $2,500 to three other financial institution plaintiffs in the class-action complaint.
The plaintiffs' attorneys will request 30% of the settlement plus reimbursement for their costs and expenses, according to court documents.
Financial institutions in the settlement class can file a claim without having to submit proof of their losses, according to a memorandum filed with the court.
"By way of example, if valid claims are submitted for all eligible cards, it is estimated that settlement class members could receive approximately $2.00 per Alerted on Payment Card. If, for example, 40% of Alerted on Payment Cards are submitted in approved claims, then settlement class members could receive approximately $4.80 per Alerted on Payment Card," it said.
Wendy's also agreed to implement new data security measures.
"We are pleased that Wendy's has agreed to settle claims involving this data breach. The settlement provides a substantial financial recovery to credit unions that were harmed by the data breach," CUNA President and CEO Jim Nussle said. "We will continue to fight for recoveries on behalf of credit unions who bear the financial burden of merchant data breach costs. CUNA continues to pursue federal data security laws, making it much harder for merchants to compromise American consumer's payment card information.
According to court documents, the breach, which allegedly began in October 2015 and became public in early 2016, affected more than 1,000 Wendy's franchise locations and 18 million payment cards. The credit union and CU league plaintiffs alleged that criminals sold much of the exposed data on the black market; criminals then used the data to make fraudulent transactions. That caused credit unions to cancel and reissue cards, reimburse members for fraud, as well as incur other expenses, the plaintiffs claimed.
In a press release, Wendy's said its applicable insurance would pay about $22.5 million of the $50 settlement.
"We are encouraged by the progress made to resolve this case, and we believe this settlement is in the best interests of Wendy's and its shareholders," Wendy's President and CEO Todd Penegor added. "With this settlement, we have now reached agreements in principle to resolve all of the outstanding legal matters related to these criminal cyberattacks. We look forward to putting this behind us so that we can continue to focus on growing the Wendy's brand."
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
