Wendy’s Breach is the First of its Kind

Wendy’s Credit Card System Breach

If you haven’t heard, in January of this year Wendy’s the Ohio-based hamburger chain had a breach of their system.  Unfortunately, these days’ breaches are all too common, however, this one was different because Michigan-based American 1 credit union took a stance that until now hadn’t been taken by any bank or credit union and the ripple effects continue to swirl around the Columbus, Ohio-based hamburger chain, some perhaps in unexpected ways.

American 1 credit union that last week began declining credit and debit card transactions by its members at all Wendy’s locations and refuses to say specifically when the ban will be lifted. For now, it is in effect “until further notice,” Marla Sanford, marketing director at American 1 Credit Union, tells Digital Transactions News.  She refuses to comment beyond a notice posted on the credit union’s blog Oct. 6.  Jackson, Mich.-based American 1 took the measure to protect its cardholders and itself from the risk that card data could be compromised, the post says. “While Wendy’s has reported that the malware responsible for the cyberattacks has been disabled at all franchise locations affected by the data breach, community members have still been reporting fraudulent activity on their accounts, even after reissuance of their debit or credit card,” the post says.

American 1 has reissued more than 18,000 cards so far out of a total of 47,000 outstanding, the post says, adding the institution’s fraud losses so far from Wendy’s breach are nearly equal to losses it sustained in 2014 in the Home Depot Inc. data compromise. In that breach, an insurance policy held by American 1 covered only 11% of the losses, leaving the credit union responsible for the other 89%, the post says. The post does not quantify the total loss from the Home Depot incident, though it says the credit union in that case ended up reissuing 4,200 cards, less than a quarter of the number reissued so far in the Wendy’s breach.

The cyberattack at Wendy’s began last fall, was first reported in January, and has affected 1,000 of the chain’s 5,500 franchised stores. The company did not respond to a request for comment on American 1’s decision to suspend card usage at its stores.  The breach first came to light in a report in KrebsOnSecurity, an online cybersecurity newsletter, and was confirmed in February by the company, which worked with forensic experts and federal law enforcement to defeat malware that had been planted in its system through a compromise of remote access credentials held by service providers. In June, the company reported “additional malware variants” in its system, which it disabled, according to a federal filing made in August. The chain says there has been no evidence indicating any company-operated stores have been affected.

In the wake of the breach, Wendy’s has become the target of litigation by both customers and financial institutions. Most recently, a consolidated case involving some 22 financial-institution and five trade-association plaintiffs was filed in July in the U.S. District Court for the Western District of Pennsylvania. The plaintiffs seek certification of a class of financial institutions impacted by alleged negligence on the part of Wendy’s.

The entire situation has us asking the question, is this just a one off credit union decision or will this become the new standard for banks and credit unions as they try to protect themselves from absorbent fraud costs?  Only time will tell, but it might be the answer when you get your next decline for a simple burger purchase.

Let’s Talk