Wednesday, May 31, 2023 | Back issues
Courthouse News Service Courthouse News Service

Banks Sue Wendy’s Over|Five-Month-Long Data Hack

PITTSBURGH, Pa. (CN) — A major data security breach at Wendy's restaurants could have been easily prevented had the company acted faster, according to a class action filed on behalf of banks whose customers were affected by the breach.

The suit, filed in Federal Court in Pittsburgh on April 25 by First Choice Federal Credit Union, claims the fast-food chain "refused to take steps to adequately protect its computer systems from intrusion," which led to a nearly five-month-long data breach where customer credit card information was stolen.

The lawsuit lists several outdated computer and credit card systems Wendy's used, from easily hackable computer systems to outdated credit card technology, and notes how the company failed to meet regulations and guidelines set by several federal agencies to prevent such data breaches.

The data breach occurred when hackers used malware to break into Wendy's computer system and stole data from possibly millions of customer credit cards used at the chain's locations from Oct. 22, 2015 through March 10, 2016.

The source of the data breach has not yet been determined. A Wendy's spokesman said malware was found at some of the company's locations by third-party investigators, but that the company has not yet validated those findings. The company has not yet confirmed conclusively how many of it 6,000 stores worldwide were affected by the breach.

Customers alerted Wendy's to the breach in January, after noticing unapproved charges on their credit cards and banks noticed patterns of fraud on cards used at Wendy's locations. However, instead of publicly acknowledging the data breach and notifying banks, Wendy's waited until the end of January to state it was investigating unusual activity on credit cards at some of its locations, the lawsuit claims.

The company didn't publicly admit to the data breach until Feb. 9, and then assured customers their banks would reimburse them for any fraudulent charges.

"Despite the growing threat of computer system intrusion, Wendy's systematically failed to comply with industry standards and protect payment card and customer data," the lawsuit states, noting that financial institutions have borne the brunt of the data breach.

"As a result of Wendy's data breach, plaintiff and class members have been forced to cancel and reissue payment cards, change or close accounts, notify customers that their cards were compromised, investigate claims of fraudulent activity, refund fraudulent charges, increase fraudulent monitoring on potentially impacted accounts, and take other steps to protect themselves and their customers," the lawsuit claims.

The main problem, according to the plaintiffs, is that Wendy's computer system was admittedly outdated. The lawsuit cites statements made by the company in 2012 that it needed to update its point-of-sale platforms. In a 2014 lawsuit, Wendy's biggest franchisee DavCo claimed the company's new POS system often froze up and disconnected from the store's network. Wendy's sued DavCo for not installing the POS system.

The lawsuit also references Wendy's most recent annual report, filed in January with the Securities and Exchange Commission, in which the company states it is "heavily dependant" on its computer systems and that any security breach "could impair our ability to efficiently operate our business."

In addition, Wendy's did not follow regulations related to credit card data, often keeping credit card information in its computer system longer than necessary, the plaintiffs claim. The company also allegedly failed to meet the October 2015 deadline for moving to the EMV chip system for credit cards, in which credit card data is transmitted as a unique code that cannot be used again, and kept on using the old magnetic strip technology.

During the breach and in the years before it, Wendy's hadn't followed 2007 guidelines set by the Federal Trade Commission — as well as similar state regulations — designed to protect customer data, the lawsuit states.

Wendy's spokesman Bob Bertini declined to comment on the lawsuit and noted that since January the company was worked with cybersecurity experts.

"We are working with federal law enforcement and the card brands to ensure that the investigation and remediation is appropriate and comprehensive, and that will still take some time to fully complete," Bertini wrote in an e-mail.

The Wendy's data breach is considered one of the worst in recent years, according to some financial officials. Dan Berger, president of the National Association of Federal Credit Unions, said in a recent interview that the dollar amounts from debit cards involved in the breach were much higher than those from recent breaches at Home Depot and Target.

A February class action filed by a customer in Orlando, Florida, also claims the data breach occurred due to deficiencies in Wendy's operating system security.

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.