Wendy’s made news at the end of January with a data breach, prompting inevitable, “Where’s the Breach” jokes. They disclosed the breach after an inquiry from Brian Krebs based on information he’d received from a banking industry insider of suspicious activity on cards that shared Wendy’s as a common point of sale. The company confirmed that they had received reports of a potential breach, and were bringing in an outside security firm to do a complete investigation.
Yet from the beginning they have been reluctant to confirm the numbers affected or how long the breach persisted. So far, all they’ve confirmed is that the breach occurred “late last year.”
With no concrete information on when and where this took place, Wendy’s customers are in the dark waiting to find out if their card has been stolen in the last few months or even if current point-of-sale payment machines at the fast food restaurant have since been secured.
Of course, “late last year” was also right after the EMV switch. As we’ve talked about here before, many retailers weren’t prepared for the switch for a variety of reasons, and as the months have worn on, many still are choosing not to implement the new technology, either at all or only partially, in the hopes of defraying installation costs or to have other retailers take on the burden of teaching customers how the new systems work.
Not satisfied with just getting a new debit card, an Orlando man has filed against Wendy’s for the breach in federal court. His card was one of those stolen and nearly $600 of purchases were made against it. The reason for his class action lawsuit is two-fold: that Wendy’s knew POS terminals could be attacked by malware as other retailers have been in the last two years, and that they had not done due diligence in updating their technology by switching to EMV, and are thus liable. This probably won’t be the last of these kinds of lawsuits.
In the month that’s followed, there have been no updates from Wendy’s on the scale of the breach, but there is some news coming from those who are seeing the fraud play out – banks themselves. Brian Krebs, following up on the story, is reporting that according to the National Association of Federal Credit Union, numerous credit unions are seeing a huge increase in debit card fraud, and in amounts in excess of the fraud seen as a result of the Target and Home Depot breaches. In fact, the source noted that the fraud was highly targeted and well-timed. Fraudsters have had a couple of years to run this hack, and are only getting better at it.
Wendy’s may be trying to save face, but by staying quiet on the breach it’s leaving customers to their own devices and banks facing a wall of climbing fraud charges. While Wendy’s won’t see an immediate financial hit, customer loyalty will be badly shaken and in some cases customers make take the company to court. If other companies have been delaying on the switch to EMVs for whatever reason, perhaps there’s still time to take another look at the menu and place a different order.