Continue to Site

    Wendy’s Enters into Settlement Agreement Stemming from Cyberattack Lawsuit

  • During the attacks hackers were able to access debit and credit card information.

    Wendy's
    The criminal cyberattacks targeted the point-of-sale systems at more than 1,000 Wendy’s locations.

    Two years after Wendy’s suffered a massive security breach, the company has entered into a settlement agreement with various financial institutions that had filed class-action lawsuits were filed against the company as a result of a series of cyberattacks Wendy’s franchisees suffered in 2015 and 2016.

    The criminal cyberattacks targeted the point-of-sale systems at more than 1,000 Wendy’s locations, or around 18 percent of Wendy’s franchised locations at the time. The series of attacks took place between November 2015 and May 2016 with one in particular lasting from October 2015 to March 2016.

    During the attacks hackers were able to access debit and credit card information—including cardholder names, credit or debit card numbers, and expiration dates—as a result of malicious software that was found on the company’s point-of-sales systems.

    READ MORE: How to Protect Your Restaurant from a Cyberattack

    In 2016 financial institutions brought on a nationwide class-action suit alleging that Wendy’s failed in both safeguarding customer-payment card information and in providing notice that payment card information had been compromised.

    "We are encouraged by the progress made to resolve this case, and we believe this settlement is in the best interests of Wendy's and its shareholders," said Todd Penegor, president and chief executive officer, in a statement. "With this settlement, we have now reached agreements in principle to resolve all of the outstanding legal matters related to these criminal cyberattacks.  We look forward to putting this behind us so that we can continue to focus on growing the Wendy's brand."

    If the proposed settlement is approved, the financial institutions will receive $50 million. Wendy’s expects to pay approximately $27.5 million of this amount. The settlement agreement is subject to court approval and Wendy’s anticipates the payment won’t need to be made until late 2019.

    Over the past few years, various chains in the restaurant industry have experienced some sort of cyberattack. In April 2018, it was revealed that up to 37 million customers could have been affected by information possibly leaked on Panera’s website. Applebee’s faced down a hack of 160 units in March, while in limited service, Jason’s Deli, Arby’s, Sonic Drive-In, Chipotle, Pizza Hut, and PDQ grappled with breaches recently.