Fast food giant Wendy’s has agreed to settle a lawsuit involving a group of financial institutions following a 2015 and 2016 data breach.
Credit Union National Association (CUNA), one of the plaintiffs, said Wendy’s will contribute $50 million into a fund that will compensate financial institutions in a press release on Wednesday.
“We are pleased that Wendy’s has agreed to settle claims involving this data breach. The settlement provides a substantial financial recovery to credit unions that were harmed by the data breach” said Jim Nussle, CUNA President and CEO, in a statement. “We will continue to fight for recoveries on behalf of credit unions who bear the financial burden of merchant data breach costs. CUNA continues to pursue federal data security laws, making it much harder for merchants to compromise American consumer’s payment card information.”
In May 2016, the company announced that fewer than 300 restaurants had been affected by the breach, which saw malware installed on point-of-sale systems. But that following June, it said a deeper breach was indicated that affected 1,025 restaurants.
The lawsuit alleged that Wendy’s failed to safeguard customer credit card information and failed to provide notice that customer information had been compromised. The institutions said vulnerabilities in the chain’s data security systems were responsible for the malware attack that impacted 18 million US customers.
Wendy’s CEO Todd Penegor said that the company has now reached agreements to resolve all the legal issues that arose in the aftermath of the attacks.
“We are encouraged by the progress made to resolve this case, and we believe this settlement is in the best interests of Wendy’s and its shareholders,” said Penegor. “With this settlement, we have now reached agreements in principle to resolve all of the outstanding legal matters related to these criminal cyberattacks. We look forward to putting this behind us so that we can continue to focus on growing the Wendy’s brand.”
In a statement, Wendy’s said the payment would include attorneys’ fees and costs. However, it expects to pay $27.5 million itself after it exhausts insurance. The settlement is pending court approval and if approved, will likely take place in 2019.
The company last year reached a settlement with customers affected by the data breach.