The Pennsylvania-based First Choice Federal Credit Union has initiated legal action against fast food chain Wendy's over a data breach that obviously has happened following an instance of POS Malware strike.
The class-action suit, filed in the US District Court for the Western District of Pennsylvania by First Choice Federal Credit Union, "on behalf of itself and all others similarly situated" and against the Wendy’s Company, Wendy’s Restaurants, LLC, And Wendy’s International, LLC, alleges that "Despite the growing threat of computer system intrusion, Wendy’s systematically failed to comply with industry standards and protect payment card and customer data". The POS Malware infection and consequent breach reportedly happened between October 22, 2015, and March 10, 2016. POS Malware, installed by hackers in Wendy's network, helped them get away with Track 1 and Track 2 data, which normally includes accountholder’s name, primary account number (PAN), expiration date, and service code, expiration date, and verification code. This POS attack had come to light following a security alert received by VISA.
As per the allegations made by First Choice Federal Credit Union the POS Malware strike and the consequent Point of Sales security breach "was the inevitable result of Wendy’s pervasive and inadequate approach to data security." It has been pointed out that the POS Malware that hackers had installed had remained undetected for weeks or months (This does happen on many occasions during POS Malware attacks). The mischief caused by the POS Malware came to light only when, possibly after the hackers had used or sold the stolen data, outside parties notified Wendy's that a POS Security breach might have happened. First Choice FCU also states that the " financial costs caused by Wendy’s deficient data security approach have been borne primarily by the financial institutions, like Plaintiff, that issued the payment cards compromised in the data breach." It has been pointed out that these costs include canceling and reissuing compromised cards and reimbursing affected customers. There is also the reference to the mention by industry sources that the breach caused by the POS Malware attack at Wendy's is bigger in scale than other recent data breaches, like the Target and Home Depot breach. (The POS Malware attack and consequent data breach at Target Corporation in late November to early December 2013 resulted in data from around 40 million credit and debit cards being stolen while the Point of Sale Security breach and consequent data theft at Home Depot, the world’s largest home improvement chain, affected 56 million credit and debit cards. Home Depot had also disclosed that 53 million email addresses were also stolen in the POS attack that happened in 2014).
First Choice Federal Credit Union has mentioned that financial institutions affected by the POS Malware attack and data breach would be facing more than $5 million in losses, exclusive of interest and costs.
Wendy's is yet to comment on the extent of losses that the breach could have caused.