Wendy's Reaches $50 Million Breach Settlement With Banks18 Million Payment Cards From 7,500 Financial Firms Compromised in Data Breach
Where's the breach? In 2015 and 2016, it was at Wendy's, when attackers infected 1,025 of its restaurants' point-of-sale systems with malware, leading to the loss of massive quantities of payment card data.
Subsequently, consumers and financial institutions filed class action lawsuits against Wendy's, alleging that it had failed to properly secure its systems or notify customers and institutions that it had been breached (see: Suit Against Wendy's Cites Lack of EMV).
The consumer class-action lawsuit - Torres v. Wendy's International - was filed in February 2016. Wendy's settled that lawsuit In October 2018 for $3.4 million.
In April 2016, Pennsylvania-based First Choice Federal Credit Union filed a lawsuit, seeking class-action status on behalf of all affected financial institutions. The lawsuit seeks to have Wendy's compensate affected card issuers for breach-related losses and expenses, such as the cost of reissuing cards and compensating cardholders for fraud losses. It also asks that the court ensure that Wendy's shores up its information security practices and procedures. The lawsuit was joined by numerous other organizations, including the Federal Deposit Insurance Corporation.
The plaintiffs estimate that 18 million payment cards issued by approximately 7,500 financial institutions were compromised in the data breach.
The financial firms' lawsuit - First Choice Federal Credit Union v. The Wendy's Company - may be close to resolution. Last week, Wendy's reached a proposed settlement with financial institutions, including attorneys' fees and costs, that would pay out $50 million. Of that, Wendy's says it expects to pay about $27.5 million, while the rest will be covered by insurance. The fast-food giant notes that the settlement agreement must still be approved by the court. After that, the payment would not be made until late in 2019.
$50 Million Settlement Fund
"Under the settlement agreement, defendants will create a non-reversionary settlement fund of $50 million in exchange for a release of all claims against Wendy's franchisees arising from third-party criminal cyberattacks of certain of Wendys' [sic] independently owned and operated franchisee restaurants involving malware variants targeting customers' payment card information that Wendy's reported in 2016 (the 'data breach')," according to court documents.
What will the settlement fund cover? "The settlement fund will be used to pay: (1) disbursements to settlement class members that file approved claims; (2) the costs of settlement administration and any taxes due on the settlement fund account; (3) attorneys' fees, costs, and expenses to class counsel in amounts approved by the court; and (4) service awards to the settlement class representatives in amounts approved by the court," according to court documents.
Of the proposed $50 million settlement fund, $36 million has been set aside to compensate banks for card data exposed in the breach. "By way of example, if valid claims are submitted for all eligible cards, it is estimated that settlement class members could receive approximately $2.00 per eligible payment card," according to the proposed settlement. "If, for example, 40 percent of eligible payment cards are submitted, then settlement class members could receive approximately $4.80 per eligible payment card."
Responding to security criticism, the proposed settlement agreement also states: "Wendy's also will adopt or maintain certain reasonable safeguards to manage its data security risks."
'Agreements in principle'
"We are encouraged by the progress made to resolve this case, and we believe this settlement is in the best interests of Wendy's and its shareholders," Todd Penegor, Wendy's president and CEO, says in a statement. "With this settlement, we have now reached agreements in principle to resolve all of the outstanding legal matters related to these criminal cyberattacks. We look forward to putting this behind us so that we can continue to focus on growing the Wendy's brand."
In November 2018, Wendy's reported Q3 revenue of $400.5 million and net income of $391.2 million, up from Q3 2017 revenue of $308 million and $14.3 million in net income.
Wendy's says its 1,025 restaurants - operated by franchisees - were hit by two waves of POS malware attacks, both of which began in the fall of 2015.
The restaurant giant discovered the first wave of RAM-scraping malware infections in late January 2016 and had it cleaned up by March 2016; it discovered the second wave in May 2016 and fully remediated it the following month, Wendy's has told Information Security Media Group (see: Wendy's Hackers Took a Bite Out of 1,000+ Restaurants).
Last week, Wendy's estimated that its total costs resulting from the data breach will reach nearly $34 million. "The company has now reached agreement in principle to resolve all of the outstanding legal matters related to the 2015 and 2016 criminal cyberattacks," Wendy's says in a Form 8-K filed with the Securities and Exchange Commission on Feb. 13.
"The company expects to incur total costs related to the criminal cyberattacks of approximately $33.5 million (inclusive of the financial institutions settlement), of which approximately $6 million was incurred in prior years," it adds.
Consumer Class Action Settlement
Consumer victims of the restaurant chain's data breaches have until March 21 to claim up to $5,000 "for unreimbursed out-of-pocket expenses resulting from the data breach," according to Wendy's consumer class action settlement agreement.
Any breach victims who lack documentation of those expenses can claim up to two hours of time spent remedying the data breach, at $15 per hour.
With documentation, Wendy's says breach victims can claim:
- "Costs and expenses spent addressing identity theft or fraud;
- Losses caused by restricted access to funds - i.e. costs of taking out a loan, ATM withdrawal fees; and preventive costs. including purchasing credit monitoring, placing security freezes on credit reports, or requesting copies of credit reports for review;
- Late fees, declined payment fees, overdraft fees, returned check fees, customer service fees and/or card cancellation or replacement fees;
- Unauthorized charges on credit or debit cards that were not reimbursed;
- Other documented losses that were not reimbursed; and
- Up to five hours of documented time spent remedying issues relating the data breach (calculated at the rate of $15 per hour)."
"The aggregate total amount that any settlement class member may receive in reimbursement for these two types of payments will not exceed $5,000," according to the consumer settlement agreement.