Where’s the breach? In 2015 and 2016, it was at Wendy’s, when attackers infected 1,025 of its restaurants’ point-of-sale systems with malware, leading to the loss of massive quantities of payment card data.
Subsequently, consumers and financial institutions filed class action lawsuits against Wendy’s, alleging that it had failed to properly secure its systems or notify customers and institutions that it had been breached (see: Suit Against Wendy’s Cites Lack of EMV).
The consumer class-action lawsuit – Torres v. Wendy’s International – was filed in February 2016. Wendy’s settled that lawsuit In October 2018 for $3.4 million.
In April 2016, Pennsylvania-based First Choice Federal Credit Union filed a lawsuit, seeking class-action status on behalf of all affected financial institutions. The lawsuit seeks to have Wendy’s compensate affected card issuers for breach-related losses and expenses, such as the cost of reissuing cards and compensating cardholders for fraud losses. It also asks that the court ensure that Wendy’s shores up its information security practices and procedures. The lawsuit was joined by numerous other organizations, including the Federal Deposit Insurance Corporation.