Wendy’s, the popular fast food chain, has found itself the target of a large-scale data breach.
According to a report issued by Wendy’s, the cybersecurity lapse was caused by malware, which “has been discovered on some franchise restaurants' POS systems, and the number of franchise restaurants impacted by these cybersecurity attacks is now expected to be considerably higher than the 300 restaurants already implicated.”
The breach started in the fall of 2015 and resulted in a loss of data that included cardholder information including names, account numbers, expiration dates and PIN numbers. This incident is said to have impacted more cardholders than the recent breaches of Target and Home Depot, which, according to CUNA, combined to cost credit unions more than $90 million.
What does this mean for credit unions?
There is a significant concern among credit unions regarding why the fast food chain did not report the breach until May 11 despite having discovered it in the fall of 2015. The Credit Union National Association (CUNA) has recently reported joining the ongoing lawsuit against Wendy’s, asking that the fast food chain be held accountable.
Alongside the restaurant chain’s months-long wait to disclose the incident, a lack of communication to credit unions on behalf of card issuers (MasterCard and VISA) has left many credit unions with large, unforeseen costs.
MCUL talked to Belle River Community Credit Union (BRCCU), who found out they were impacted by the breach through members reporting strange activity on their account.
BRCCU’s CEO Vicki McIntosh said her credit union ended up paying $1,000 in out-of-pocket costs to issue new cards to members as a result of the breach.
“We have to care about this,” said McIntosh. “Something like this can happen and eat up our entire net income for the month.” The costs equated to one month of the $20.2 million asset credit union’s income.
CUNA CEO Jim Nussle on CUNA's fight for
future data breach legislation
Compounding the hit to the credit union’s bottom line, McIntosh said she was never contacted by the card company to tell her what member’s cards had been compromised. In addition, a forensic investigation required to be conducted by the merchant after a breach has still not been completed according to Michigan Credit Union League’s Regulatory Affairs Staff.
“Not only are we paying for this, but our members are too,” McIntosh continued. “It filters down to the cardholders and becomes very inconvenient for their personal finances.”
McIntosh, Michigan credit union leaders and MCUL CEO Dave Adams implore lawmakers to require retailers to be held to the same federal data breach standards of which credit unions are subject, and to enforce the laws currently in place.
“The current system is broken—retailers experience a breach and months go by without any notice to credit unions of which cards are compromised which results in spikes in fraud losses—and once again local credit unions are left holding the bag,” MCUL CEO Dave Adams said. “Again, we call on lawmakers and regulators to use their full authority to ensure both retailers and card network companies are doing their part to protect customer’s information instead of leaving credit unions to continually shoulder the burden.”
UPDATE: Wendy’s has released a searchable list of every restaurant potentially affected by the recent data breach. The list reveals 106 Michigan Wendy’s locations. To search for the exact locations, you can find the database here.