Get updates by email

Select Specific Blog Updates

Paul Zimmerman

Photo of M&R Blog

© Ken Wolter/123RF.COM

Wendy’s Data Breach Expands in Scope, Malware Attacks Point-of-Sale System

Fast-food chain, Wendy’s, has disclosed that the number of franchised restaurants hit by a recent cyber-attack was “considerably higher” than the fewer than 300 locations that it had originally suggested were impacted. Wendy’s states that it has discovered an additional strain of malware that affected previously unidentified franchises. As cyber-attacks continue to rise within the retail sector, the particular vulnerability of franchised hospitality establishments comes into focus.

The cyber-attackers used a remote access tool to target the point-of-sale (POS) system of numerous establishments. Wendy’s contends that the malware in question was installed via the use of “compromised third-party vendor credentials.” All malware that has been detected thus far has been shut down, but Wendy’s faces multiple lawsuits, brought by both consumers and financial institutions, resulting from the systems breach. In February 2015, a proposed class action was launched against Wendy’s in Florida claiming that the company knowingly utilized lax security measures, resulting in the theft of personal debit card information. In addition, a proposed class of banks is suing Wendy’s in an effort to recover losses that they allegedly incurred as a result of the cyber-attack.

M&R will follow this litigation closely as it develops, but in the meantime, it is important for companies to pay careful attention to 1) the potential of malware in a POS system to affect numerous franchise locations; and 2) the threat of data security breaches arising via third party vendor relationships. Companies should consider the risk of providers' remote access credentials being compromised, and carefully review the manner in which they engage independent contractors, including evaluating the existence of indemnity provisions and other sorts of recourse. Business owners fearful of the significant repercussions of a cyber-attack are encouraged to learn more about both contractual safeguards and legal compliance concerning data security so that they are best protected.

This blog post is not offered as, and should not be relied on as, legal advice. You should consult an attorney for advice in specific situations.