A credit union told its customers that their payment and debit cards will be temporarily declined at all Wendy's restaurant locations.
American 1 Credit Union announced the temporary block on 6 October 2016, just a few months after Wendy's confirmed that a point-of-sale (POS) malware attack had affected more than 1,000 of its restaurant locations.
The Michigan-based credit union explains in a blog post that it made the move as customers continue to report fraud on their accounts, which might suggest the restaurant chain failed to properly contain the breach:
"On Wednesday, September 29, American 1 Credit Union announced that, effective Monday, October 3, all American 1 credit and debit cards would be temporarily declined at all Wendy’s restaurant locations. While Wendy’s has reported that the malware responsible for the cyberattacks has been disabled at all franchise locations affected by the data breach, community members have still been reporting fraudulent activity on their accounts, even after reissuance of their debit or credit card. Therefore, in order to protect member accounts, the credit union made the decision to decline all credit and debit card transactions at any Wendy’s location until further notice."
It's unclear whether the Wendy's contained the breach or if hackers possibly still have a foothold in the restaurant chain's network.
American 1 has itself in mind just as much as it does its customers in instituting the block.
The malware attack against Wendy compromised 18,000 cards issued by the credit union. In response, American 1 reissued thousands of customers' cards. But insurance only covered a fraction of the amount necessary to issue new cards and recover customers' stolen account funds. The credit union therefore had to pay the large majority of those costs itself.
David Puckett, CEO of American 1, says it's not uncommon for financial institutions to suffer in the wake of a data breach:
"When malicious cyberattacks like the recent attack on Wendy’s occur, there are many victims. Not only are the cardholders’ assets put at risk, but the financial institutions that issued the cards are left to foot the bill of any resulting theft – not wanting their members to suffer from an unfortunate event that was neither party’s fault. It’s a no-win situation.
"Until we are confident that our members’ cards are no longer at risk when used at Wendy’s, we will continue declining the transactions. As their local credit union, the best interest of our members is our number one priority.”
Those affected by the POS malware breach at Wendy's should continue to review their payment card statements for fraud. If they see anything suspicious, they should notify their card issuers.
Contact us today about our eLearning course on PCI DSS (Payment Card Industry Data Security Standard). This course is suitable for any professional who is likely to come into contact with payment or credit card information and needs to be aware of the regulations.