Wendy's $50M cyberattack settlement signals growing threat to QSRs

Dive Brief:

The Wendy's Co. agreed to a $50 million settlement related to a class action lawsuit brought against the company by more than two dozen financial institutions following cyberattacks that targeted POS systems at more than 1,000 Wendy's locations in 2015 and 2016, according to a press release.
After exhausting applicable insurance, the company will pay $27.5 million of this amount. If approved by the court, the payment is expected to be made late 2019.
The restaurant previously agreed to pay $3.4 million to settle a class action lawsuit brought by consumers.

Dive Insight:

Wendy’s recent settlement reveals how incredibly expensive data breaches can be for restaurant brands. It costs about an average of $148 per compromised record or almost $3.9 million in total for a company recovering from a breach, according to IBM. But as Wendy's proved, subsequent lawsuits can bring that cost way up. These incidents can also impact customer trust in a company, leading to fewer return diners and impacting long-term same-store sales.

Despite the implementation of EMV chip card readers, hackers are still accessing POS systems. This often occurs through compromised third-party vendors, such as what occurred at Huddle House — a breach that went on for nearly two years.

"This is, unfortunately, a common theme today," Exabeam chief security strategist Stephen Moore said in an emailed statement. “Once a breach has been discovered, investigations typically reveal that adversaries have been occupying their network for days, if not months — and sometimes years."

And data breaches haven't been slowing down, either.

In addition to Huddle House, several restaurant chains have reported breaches in the last few months, including Caribou Coffee, Truluck's Seafood, Taco Bueno and Dunkin' (it's second within the last three months) — most of which occurred at their POS systems.

Fast food restaurants in particular have been hit with large data breaches. A breach at Sonic, which was reported in 2017, led to 5 million payment card accounts to appear on the dark web as part of a fire sale. Sonic later settled a $4.3 million class-action lawsuit brought on by customers.

With franchisee models, owners of individual restaurants often depend on the company for security and feel like that is enough to protect the business, without taking additional protocols or promoting the concept of security and privacy among store employees. Without proper training, employees could unsuspectingly open an email or click a link that lets the hackers into the restaurant's systems.

TGI Fridays, for example, has a multi-layered approach in place that uses multiple administrative, technical and physical controls across different platforms. Its Zero Trust Security model uses the motto "never trust, always verify" to ensure a culture where employees are always verifying information across multiple systems. Having a culture such as this one can help companies avoid costly data breaches that can easily cripple revenue growth.