Digital Transactions Authoritative, insightful and timely information for payments professionals
The Wendy’s Co. admitted publicly Wednesday that a point-of-sale system at “fewer than 300” of its franchised restaurants in North America had been affected by malware, starting last fall.
In a quarterly filing with the Securities and Exchange Commission, the Dublin, Ohio-based hamburger chain also said it has worked with “cybersecurity experts” to disable and remove the malware. The breach did not affect an Aloha POS system used in most franchise and all company-owned stores, according to the filing. The Aloha system, which is sold by NCR Corp., is expected to be installed in all locations by the end of the year.
Nonetheless, the filing indicates at least two entities, including a customer and a credit union, have already sued the chain over the breach. The financial institution is First Choice Federal Credit Union, New Castle, Pennsylvania, which filed its suit April 25 in U.S. District Court for the Western District of Pennsylvania and is seeking class certification.
The security blog KrebsonSecurity.com first reported the Wendy’s breach in January, and added in a post Wednesday that “sources at multiple financial institutions” complain that some of the affected locations were still “leaking” card data as late as early April. “Many banks and credit unions” are unhappy about the “extent and duration” of the breach, Krebs reported in its post Wednesday after the Wendy’s disclosure.
A Wendy’s spokesman told Krebs the protocols its unnamed third-party forensic investigator is required to follow, coupled with the involvement of franchised locations, can cause delays. The disclosure in the quarterly filing is based on “preliminary findings” from that investigation along with other information, the filing says, adding the company expects a “final report” from the investigator soon.
Still, the filing cautions investors that more litigation could be coming. “In addition, claims may also be made by payment card networks against the affected franchisees,” the company warns.
Aside from the malware, which affected about 5% of the chain’s 5,500 U.S. and Canadian franchised locations, the filing also indicates Wendy’s found another 50 franchised units “are suspected of experiencing, or have been found to have, unrelated cybersecurity issues.” Wendy’s and the affected restaurants “are working to verify and resolve these issues,” according to the filing.
Despite cases like the Wendy’s breach, confidence is rising among retail information-technology professionals that they can detect a breach quickly. Some 75% of more than 200 retail IT respondents said they could find a breach on so-called critical systems within 48 hours, up from 42% in 2014, according to a survey released last month by the security firm Tripwire Inc. Yet, one-third of the respondents also said they have sustained an incident where personally identifiable information was stolen or accessed by hackers, up from 14% two years ago.
