Wendy’s will pay $50 million to settle a class action lawsuit that claimed the fast food chain’s sub-par security systems allowed hackers to steal millions of customers’ credit card credentials.
A group of 24 credit unions and other financial institutions sued Wendy’s over data breaches that occurred in 2015 and 2016 affecting some 18 million credit cards from 7,500 financial institutions. More than 1,025 Wendy’s locations were hit by a wave of malware attacks, a figure that company officials had initially pegged as limited to 300 locations. Wendy’s blamed the breach on a third-party vendor servicing its independently owned and operated franchisees.
Should the Court accept the proposed settlement amount, payments would not begin until later this year. Wendy’s had previously settled a consumer class action lawsuit last October for $3.4 million.
“Based on our experience and expertise, Class Counsel believe that the settlement is fair, adequate, reasonable, an excellent result for the Settlement Class, and represents a desirable resolution of this Litigation,” wrote Gary Lynch, attorney for the plaintiffs, in a declaration supporting the plaintiffs’ motion for preliminary approval of the settlement offer.
“Because the Settlement represents a fair and reasonable recovery on behalf of the Plaintiffs and the proposed Settlement Class, Class Counsel believe that the Court should preliminarily approve the Settlement and direct Notice to be issued to the Settlement Class,” he said.
Of the proposed $50 million settlement fund, $36 million will go to the financial institutions to compensate for bank card data exposed in the breach. Wendy’s expects the cyber attacks will cost it about $35 million, the company said last week in a Securities and Exchange Commission filing.
"With this settlement, we have now reached agreements in principle to resolve all of the outstanding legal matters related to these criminal cyberattacks,” Todd Penegor, Wendy's president and CEO, said in a statement.
For its Q3 ended September 30, 2018, Wendy's reported revenue of $400.5 million, a 30 percent uptick in sales from the $308 million it recorded at the same time last year. Net income rose from $14.3 million in the year earlier period to $391.2 million.
In the past few months, other class action settlements have dotted the security litigation landscape. For example, earlier this year credit rating agency Experian reached a $22 million settlement to resolve a consolidated class action lawsuit resulting from a 2015 data breach. As in the Wendy’s lawsuit, the plaintiffs in the Experian case claimed the company failed to adequately protect the personal information of about 15 million consumers.
And, late last year, health insurer Anthem agreed to pay $115 million in a settlement over its 2015 data breach that hit nearly 79 million people. In late January, a federal judge rejected Yahoo’s proposed $50 million settlement for three breaches from 2013 to 2016 that affected an estimated three billion accounts.