Why the Wendy’s Data Breach Settlement may be the Worst One Yet… And How the FTC may be Expanding its Breach Governance Approach
In 2015-2016 Wendy’s discovered that their customers were victims of fraudulent charges that were traced back to transactions that occurred in Wendy’s restaurants. This launched an incident response investigation where it was determined that certain franchise restaurants were indeed victims of a malware attack against their point of sale (POS) systems.
It turns out that more than 1,000 franchise-owned restaurants were breached by a RAM-scraping infection that hit in January 2016, with a second attack occurring in March 2016. The malware was able to gain access to 18 million payment cards, including personally identifiable information (PII), and related data such as credit/debit card numbers, names, expiration dates, and more.
How did the Wendy’s data breach happen? It was determined that third-party vendor credentials were compromised, enabling hackers to infiltrate each system and then move laterally across the network to access other systems and steal PII data.
The impact of the Wendy’s data breach was severe, not only from a data loss perspective but also in the financial payout that Wendy’s agreed to in order to settle the matter – over $53M. Two lawsuits were levied against the company: a first being a class-action lawsuit filed by impacted consumers, and the second by the financial institutions seeking to recover the costs related to re-issuing credit cards following the breach.
Over 7,500 credit unions and other banking institutions cited the fact that the organization had weak data security systems, which ultimately gave hackers access to the financial data. The Wendy’s data breach settlement resulted in the total $50M amount with cyber insurance covering only a portion of this.
As part of the $3.4 million Wendy’s data breach settlement to the consumer class-action lawsuit, victims were awarded up to $5,000 for expenses related to the data, including:
- Costs and expenses spent addressing identity theft or fraud.
- Losses caused by restricted access to funds; for example costs of taking out a loan, ATM withdrawal fees; and preventive costs. This also includes purchasing credit monitoring, placing security freezes on credit reports, or requesting copies of credit reports for review.
- Late fees, declined payment fees, overdraft fees, returned check fees, customer service fees, and/or card cancellation or replacement fees.
- Unauthorized charges on credit or debit cards that were not reimbursed.
- Up to five hours of documented time spent remedying issues relating the Wendy’s data breach.
The story reinforces how vulnerable retail, healthcare, hotel, and tourism organizations are due to the high volumes of financial transactions. Complicating the matter is the fact that POS systems are often outsourced to third parties, and there is always the risk of an insider threat, even if unintended.
The role of the FTC in the Wendy’s Breach Settlement
Clearly, these are sizable penalties, and it is anticipated that the cost of the Wendy’s data breach will surpass the infamous Target and Home Depot breaches. Given the breadth of the breach, federal cybersecurity investigators were brought on board to determine the scope and impact. As we’ve discussed in our June 2018 blog, the enforcing federal agency for cybersecurity is the Federal Trade Commission. We thought this may be a good time to revisit the role FTC plays in enforcing fines following a data breach.
As we mentioned then, the FTC has assumed the role of the U.S.’s primary enforcer of privacy and data security regulations, with rulemaking power to address data privacy issues and industry-wide practices, particularly those focused on fraud that affects consumers. This became clear in the aftermath of the massive Target data breach just a few years ago.
At that time, the FTC demonstrated how far it will go to protect consumer interests — any business of any size and in any industry can be sued by any business, consumer or group, and the burden is on the business to prove it wasn’t negligent. A harsh lesson Wendy’s has just learned.
While the FTC already has broad authority in breach oversite, however, the guidelines on what steps an organization must take to meet “reasonable standard of care” is unclear. However, based upon comments made in 2017, it seems that the FTC is looking to not only expand its authority but also to clarify the definition of breach impact that will be used to assess an organization’s responsibility.
For example, FTC chairwoman, Maureen Ohlhausen stated that the FTC should, and will, focus on “substantial consumer injury vs hypothetical injuries” in deciding which cases to pursue. For instance, health and safety risks, such as those posed by the sharing of real-time and highly accurate location data that may leave consumers vulnerable to stalking, could also constitute a substantial injury, as could the disclosure of sensitive medical information.
In protest, a host of pro-business groups, have all issued public comments urging the Commission to adopt a regulatory framework designed to regulate actual injuries, rather than conjectural ones. In contrast, several consumer groups have encouraged the FTC to focus on the rise in data breaches and the increased risk of identity theft.
How can CSPi help
We understand the challenges organizations face today in implementing a comprehensive and effective network security and data protection infrastructure. While it may be challenging, the right security tools may save the business from devastating effects of a data breach. This is especially true when you consider that there are only a subset of companies that can absorb the costs that were described in the Wendy’s data breach example above.
CSPi’s suite of cybersecurity solutions can provide much-needed vigilance to not only recognize but also neutralize threats before they become a risk that impacts consumers. For instance, it seems that Wendy’s did not have complete insight on what devices were accessing, or using, the PII data in their possession—especially data that moved east-west through the network. Utilizing our ARIA SDS solution, organizations have the tools and capabilities needed to not only enforce their security posture but gain the proof needed for legal and regulatory compliance.
Given the vagueness on what the FTC parameters are on “taking reasonable steps” to prevent and/or protect PII for data breaches, organizations need exact reporting. Our breach response solutions provide the details needed to conduct a focused forensic analysis to understand the scope and impact of any breach, or potential breach, in hours.
These are just two examples of how CSPi solutions are transforming security approaches and results. To learn more, please visit www.cspi.com.
Or to learn more about how our solutions can help improve security and compliance, be sure to check our Data Privacy Regulations eBook today.
CSPi is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. CSPI’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters.