By: Mitch Tanenbaum, Partner, CyberCecurity, LLC
ICM Guest Blogger
As could be expected, the Wendy’s data breach saga continues. A proposed class action lawsuit was filed by a credit union in Pittsburgh representing all banks who were affected by the breach.
As reported by Brian Krebs in March, credit unions said that they saw a rise in fraudulent credit card use that was greater than what they saw after the Target or Home Depot breaches. One credit union said the fraud was 5 to 10 times the loss than during the Target and Home Depot breaches. That money has to be recovered somehow, either through higher bank fees, higher fee to merchants which are reflected in higher prices or lawsuits against the store that caused the expense. As we saw in both the Home Depot and Target breaches, those lawsuits only recover a small portion of the costs.
Wendy’s has been pretty mum about the extent of this breach. It is not clear why they have not disclosed the scope of the breach. The lawsuit is providing a little bit of information.
The lawsuit claims that Wendy’s “refused to take steps to adequately protect its computer systems from intrusion”. That is a pretty strong claim.
The lawsuit claims that the breach ran from Oct 22, 2015 to March 10, 2016, or about 5 months.
Wendy’s was notified by customers in January that they were seeing unusual activity on their credit cards after visiting Wendy’s locations. In other words, Wendy’s didn’t figure out they were breached, customers did – which is why it is important to review your credit card and bank statements regularly. An even better solution is to have your bank send you a text message every time your credit or debit card is used. Most banks have this capability and it is free. That way you will know instantly if your credit card is used fraudulently.
Wendy’s did not admit to the fraud until February 9th and then told customers not to worry – that the banks would reimburse them for any fraud. While this is true, it wouldn’t seem to be the most responsible way of dealing with the situation. Most businesses agree to being responsible if consumers lose money, even though they know that the banks will provide the first line of defense.
The lawsuit goes on to say that “Despite the growing threat of computer system intrusion, Wendy’s systematically failed to comply with industry standards and protect payment card and customer data”. Readers of this blog may remember that I reported earlier that the Wendy’s CFO said that it was cheaper to pay the fraud than to upgrade their point of sale system to accept chip based cards. It is not clear if he still feels that way.
As a result of the breach, the banks have been forced to cancel and reissue cards, change or close accounts, notify customers that they cards have been compromised , investigate fraud claims, refund charges, increase monitoring and take other steps, the lawsuit says.
What is different in this case from say Target, is that under new credit card rules effective October 1, 2015, businesses are now liable for all of these costs if the consumer presented a chip based card and the store did not have a chip based credit card reader. As of the last report I saw, only about 50% of businesses have chip based credit card readers. Wendy’s is not one of those stores.
The banks would likely want to make a showcase of Wendy’s to get the stores to increase store’s adoption of the chip based technology. So while the Wendy’s CFO was likely thinking of the fraud costing him the $5 cost of a burger. under the new rules, it could cost him $100 or $200, per fraudulent transaction, for all of the expenses described above. If there were only, say, a million fraudulent transactions, you can do the math.
The lawsuit goes on to say that Wendy’s, in a recent SEC filing, said that it was heavily dependent on it’s POS system and any breach could impair their ability to operate efficiently. The report was filed in January; whether they knew about the breach at that time is unclear.
The lawsuit also says that Wendy’s was not following 2007 FTC guidelines and similar state regulations designed to protect consumer data. 2007 was a long time ago, so it is going to be hard to defend themselves as to why they were not following those rules.
I suspect that Wendy’s will settle out of court given these claims. The truth would likely be way uglier than paying the banks. What is unclear is how much the banks will be asking for. In past large breaches, the banks settled in the $10 million to $30 million range. Since the banks are claiming that this breach is costing them way more than the Target or Home Depot breaches did and considering the new credit card liability rules, it is not clear how much this will cost Wendy’s.
Wendy’s has also not said if they carried cyber liability insurance or if they did, how much coverage they had. I will be amazed if it turns out that they did not have some coverage.
While the suit likely won’t be settled for years, we should see some more information in future Wendy’s SEC filings.
Information for this post came from Krebs On Security and the Courthouse News Service.