Wendy’s to Pay $50M in Data Breach Settlement
Third Party Vendor Breaches on the rise
Payment card data was stolen from victims who purchased food at these locations then used fraudulently at other merchants after malware was installed through a third-party vendor.
The settlement includes attorneys fees and costs. Wendy’s said it would end up paying roughly $27.5 million of its own funds after exhausting insurance, according to the press release.
“With this settlement, we have now reached agreements in principle to resolve all of the outstanding legal matters related to these criminal cyberattacks,” Wendy’s President and CEO Todd Penegor said in the release. “We look forward to putting this behind us so that we can continue to focus on growing the Wendy’s brand.”
Last September, Wendy’s settled a class action lawsuit from customers affected by the breach.
“Point of sale systems are lucrative targets for bad actors,” The Media Trust Digital Security and Operations Manager Mike Bittner told SC Media. “These systems are often outsourced to third parties with weak security postures, and give access to millions of payment card information. When malicious campaigns succeed, bad actors are able to either sell the information on the dark web or commit identity theft themselves.”
Bittner added the fact that Wendy’s has had to settle with financial institutions and consumers shows the growing importance of securing identity and financial information. He explained that consumer privacy laws, both those that have already been enacted as well as those over the horizon, will force business to improve their data protection and privacy capabilities.
Almost always, the bad guys are getting into these large networks with a phishing email as their initial attack vector. Stepping users through new-school security awareness training is a must today.
Would you like to know more...
No one is safe in this day an age but this article highlights the importance of Third Party Vendor selection being of critical importance. If your vendors are not taking security seriously they are exposing YOU! Be very selective and understand what kind of access you are granting them to YOUR infrastructure.