The data breach at some Wendy’s restaurants might be a whopper.
That’s what Dan Berger, president of the National Association of Federal Credit Unions, told Brian Krebs, the author of the widely followed blog Krebs on Security.
“This is what we’ve heard from three different credit union CEOs in Ohio now: It’s more concentrated and the amounts hitting compromised debit accounts is much higher that what they were hit with after Home Depot or Target,” Berger said this week.
“It seems to have been the work of a sophisticated group, in terms of the timing and the accounts they targeted. They were targeting and draining debit accounts with lots of money in them.”
Berger did not respond to a request for comment Thursday. Wendy’s also declined to comment on the data breach other than to say its investigation was ongoing and some malware was found at some locations.
Wendy’s has not identified the locations where the breaches occurred, when it occurred, how many were involved and the dollar amounts of the transactions. Wendy’s, which is based in Dublin, has more than 6,000 stores worldwide, the vast majority of those in North America and owned by franchisees.
The lack of communication has frustrated at least one financial institution trying to diagnose the issue.
“We don’t know how large or small the problem is,” said Gretchen Bartholomew, director of operations for Columbus-based Kemba Financial Credit Union. “Wendy’s is not providing that information fast enough, which is typical in these breaches.”
Fraud on debit-card transactions in February at Kemba was up 34 percent on a dollar basis from January, she said. The credit union, which has 84,000 members primarily in central Ohio, can’t be certain that the breach at Wendy’s is behind the increase because of a lack of information.
“It has increased, but can I truly attribute that to Wendy’s? Probably a good portion of it is,” she said.
One analyst warned that if the breach hurts enough customers it could dent Wendy’s reputation and sales, similar to Chipotle’s food safety concerns last year.
“I think it depends right now on whether customers are impacted and how much that runs through social media,” said John Gordon, a restaurant analyst and principal of Pacific Management Consulting Group. “It could hurt them. Anytime something like this happens to a big, big retailer, it’s material.”
The scope of the breach remains unknown, though Berger shared with Krebs the opinion of one credit union CEO, who asked to remain anonymous. That person told Berger “that his or her credit union might face ‘5 to 10 times the loss’ it faced after the Target and Home Depot breaches,” according to a press release from the National Association of Federal Credit Unions.
Target settled with financial institutions late last year for $39.4 million related to fraudulent charges made in the wake of its 2013 breach.
The breach at Wendy’s would be the latest in what has been a string of data breaches at merchants across the country. Other restaurants such as Jimmy Johns and P.F. Chang’s, both in 2014, have reported similar issues.
The Home Depot breach affected 56 million credit and debit cards in 2014; the Target breach affected about 40 million debit and credit cards.
Consumers generally are protected from any losses because of breaches like these, but they will have to go through the hassle of getting a new card and updating accounts where automatic payments are made by credit card.
It’s unsettling for consumers to not know if their card has been compromised, and under current law retailers to not have to share which cards could have been compromised until their investigation is complete, sometimes taking months,” said Paul Mercer, president of the Ohio Credit Union League.
“Retailers do not face the same strict data security standards that financial institutions are subject to, and major merchant data breaches expose credit unions and other financial institutions to significant monetary costs and reputational risk. Credit unions cover the costs of fraud, blocking transactions, reissuing cards, increasing staffing at call centers and monitoring consumer accounts.”
Banks and credit unions have begun to issue new credit and debit cards containing computer chips — a small metallic square on the front of the card — that makes them harder to counterfeit and are supposed to protect against fraud, but the roll out has been slow and some retailers have not installed the equipment in their stores that will read the cards.
In cases where retailers have not deployed the equipment to read the new cards, the retailer absorbs the losses tied to fraudulent transactions.