Some Credit Unions Getting Clobbered From Wendy’s Breach
While Wendy’s has been pretty quiet regarding the credit card breach that they appear to have suffered, others are not so quiet.
You may remember from my February 1st post (see here) that Wendy’s VP and treasurer Gavin Waugh said a couple of years ago that Wendy’s fraud rate was so low that paying the fraud liability is a whole lot cheaper than putting in [EMV] terminals. I suspect that he now regret having made that statement publicly.
The problem with Waugh’s statement is that while he is correct that if people use a stolen credit card to buy a $1.99 burger, it is pretty cheap to reimburse the owner of the card, but that is not what he is dealing with today.
Assuming the story is correct, a breach of their point of sale system could expose tens of millions of cards. If, say, there is zero fraud (not the case – see below) but the banks have to reissue 10 million cards, that is a $100+ million invoice. Some of that is likely offset by insurance, but Wendy’s is not saying how much. Since they are publicly traded, they will have to say something eventually.
The other problem that Waugh has to deal with is the “Shift in liability” that occurred in October 2015. That shift means that Wendy’s is responsible for the full cost associated with each CHIP card that is breached. Non chip card losses are still eaten by the banks. Depending on the mix – still unknown – and the number, you can make up whatever math you want to.
However, what B. Dan Berger, CEO at the National Association of Federal Credit Unions, is saying is that credit unions saw a huge increase in debit card fraud in the few weeks before the breach became public. Remember, a LOT of people visit Wendy’s in any given day, hence LOTS of credit card numbers.
One credit union CEO said:
“Please take this Wendy’s story very seriously. We have been getting killed lately with debit card fraud. We have already hit half of our normal yearly fraud so far this year, and it is not even the end of January yet. After reading this, we reviewed activity on some of our accounts which had fraud on them. The first six we checked had all been to Wendy’s in the last quarter of 2015.”
All I am suggesting is that we are experiencing much high[er] losses lately than we ever did after the Target or Home Depot problems. I think we may be end up with 5 to 10 times the loss on this breach, wherever it occurred. Accordingly, please put this story in the proper perspective.”
Assuming this turns out to be true, we could be talking maybe a hundred million cards and the bill for that could be large.
We should anticipate them saying something in their quarterly update in early April, but it likely will be vague. How vague is unknown.
Information for this post came from KrebsOnSecurity.