Wendy’s to pay $50M in data breach settlement

Wendy’s has agreed to pay $50 million to settle negligence claims following its 2015-2016 data breach that affected more than 1,000 of the burger chain’s locations.

Payment card data was stolen from victims who purchased food at these locations then used fraudulently at other merchants after malware was installed through a third-party vendor.

The settlement includes attorneys fees and costs. Wendy’s said it would end up paying roughly $27.5 million of its own funds after exhausting insurance, according to the press release.

“With this settlement, we have now reached agreements in principle to resolve all of the outstanding legal matters related to these criminal cyberattacks,” Wendy’s President and CEOTodd Penegor said in the release. “We look forward to putting this behind us so that we can continue to focus on growing the Wendy’s brand.”

Last September, Wendy’s settled a class action lawsuit from customers affected by the breach.

“Point of sale systems are lucrative targets for bad actors,” The Media Trust Digital Security and Operations Manager Mike Bittner told SC Media. “These systems are often outsourced to third parties with weak security postures, and give access to millions of payment card information. When malicious campaigns succeed, bad actors are able to either sell the information on the dark web or commit identity theft themselves.”

Bittner added the fact that Wendy’s has had to settle with financial institutions and consumers shows the growing importance of securing identity and financial information. He explained that consumer privacy laws, both those that have already been enacted as well as those over the horizon, will force business to improve their data protection and privacy capabilities.

Almost always, the bad guys are getting into these large networks with a phishing email as their initial attack vector. Stepping users through new-school security awareness training is a must today. SCMedia had the story.