Pennsylvania-based First Choice Credit Union filed a class action lawsuit against Wendy’s over a data breach the retailer experienced last year.
The suit alleged that the fast-food chain didn’t properly safeguard customer credit and debit card information, Reuters said, citing a report in Westlaw Next Practitioners Insight. The breach, which went undetected for weeks, let hackers make fraudulent purchases on the payment cards that were exposed.
Wendy’s found malware on the systems at some of its restaurants that were under investigation after some customers reported unusual activity on their payment cards used at several of the fast-food retailers’ locations. Because the breach went undetected for weeks, hackers racked up hundreds of thousands such purchases.
“In addition to consumer restitution, industry fines and corporate brand damage, the financial consequences of PCI data breaches now routinely include the costs of defending against lawsuits brought by affected parties and any resulting judgments,” George Rice, senior director, payments for HPE Security – Data Security, said in comments emailed to SCMagazine.com. “Security-deficient merchants will find it difficult to defend themselves against such lawsuits when powerful data security solutions are readily available on the market.”
Rice noted that point-of-sale (POS) systems “are often the weak link in the chain – they should be isolated from other networks, but often are connected.”
And, because it is in constant use, a checkout terminals is “usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.”
Savvy merchants, he said, are meeting risk head-on “and giving the malware nothing to steal through solutions that also have a dramatic cost-reducing benefit to PCI compliance.”
Retailers can eliminate “the exposure of live information in vulnerable POS systems” by “encrypting data in the card reading terminal ahead of the POS,” said Rice. “The attackers get only useless encrypted data.”