Data Breach , Fraud , Incident & Breach Response
After Insurance, Fast-Food Chain's Breach Costs Are Nearly $34 Million(euroinfosec) • February 19, 2019
Where's the breach? In 2015 and 2016, it was at Wendy's, when attackers infected 1,025 of its restaurants' point-of-sale systems with malware, leading to the loss of massive quantities of payment card data.
See Also: Live Webinar: Building Secure Delivery Pipelines with Docker, Kubernetes, and Trend Micro
Subsequently, consumers and financial institutions filed class action lawsuits against Wendy's, alleging that it had failed to properly secure its systems or notify customers and institutions that it had been breached (see: Suit Against Wendy's Cites Lack of EMV).
In October 2018, Wendy's settled the consumer class action lawsuit for $3.4 million.
Last week, Wendy's reached a proposed settlement with financial institutions, including attorneys' fees and costs, that would pay out $50 million. Of that, Wendy's says it expects to pay about $27.5 million, while the rest will be covered by insurance. The fast-food giant notes that the settlement agreement must still be approved by the court. After that, the payment would not be made until late in 2019.
"We are encouraged by the progress made to resolve this case, and we believe this settlement is in the best interests of Wendy's and its shareholders," Todd Penegor, Wendy's president and CEO, says in a statement. "With this settlement, we have now reached agreements in principle to resolve all of the outstanding legal matters related to these criminal cyberattacks. We look forward to putting this behind us so that we can continue to focus on growing the Wendy's brand."
In November 2018, Wendy's reported Q3 revenue of $400.5 million and net income of $391.2 million, up from Q3 2017 revenue of $308 million and $14.3 million in net income.
RAM-Scraping Malware
Wendy's says its 1,025 restaurants - operated by franchisees - were hit by two waves of POS malware attacks, both of which began in the fall of 2015.
The restaurant giant discovered the first wave of RAM-scraping malware infections in late January 2016 and had it cleaned up by March 2016; it discovered the second wave in May 2016 and fully remediated it the following month, Wendy's has told Information Security Media Group (see: Wendy's Hackers Took a Bite Out of 1,000+ Restaurants).
Last week, Wendy's estimated that its total costs resulting from the data breach will reach nearly $34 million. "The company has now reached agreement in principle to resolve all of the outstanding legal matters related to the 2015 and 2016 criminal cyberattacks," Wendy's says in a Form 8-K filed with the Securities and Exchange Commission on Feb. 13.
The first Wendy's restaurant in Columbus, Ohio (Photo: Wendy's)"The company expects to incur total costs related to the criminal cyberattacks of approximately $33.5 million (inclusive of the financial institutions settlement), of which approximately $6 million was incurred in prior years," it adds.
Consumer Class Action Settlement
Consumer victims of the restaurant chain's data breaches have until March 21 to claim up to $5,000 "for unreimbursed out-of-pocket expenses resulting from the data breach," according to Wendy's consumer class action settlement agreement.
Any breach victims who lack documentation of those expenses can claim up to two hours of time spent remedying the data breach, at $15 per hour.
With documentation, Wendy's says breach victims can claim:
"Costs and expenses spent addressing identity theft or fraud; Losses caused by restricted access to funds - i.e. costs of taking out a loan, ATM withdrawal fees; and preventive costs. including purchasing credit monitoring, placing security freezes on credit reports, or requesting copies of credit reports for review; Late fees, declined payment fees, overdraft fees, returned check fees, customer service fees and/or card cancellation or replacement fees; Unauthorized charges on credit or debit cards that were not reimbursed; Other documented losses that were not reimbursed; and Up to five hours of documented time spent remedying issues relating the data breach (calculated at the rate of $15 per hour).""The aggregate total amount that any settlement class member may receive in reimbursement for these two types of payments will not exceed $5,000," according to the consumer settlement agreement.