In two earlier articles (here and here), we explained that the best way to deal with data breaches is to not let them happen in the first place. Pre-emptive measures sometimes cost a little more money upfront, but they’re far cheaper than dealing with the aftermath of a successful breach.
Yet what happens if a data breach has already occurred? What steps should you take to address the situation and limit any future damage?
Below are two recent case studies that highlight the do's and dont’s of surviving a data breach.
Case Study No. 1: Noodles & Company
Noodles & Company is a restaurant chain with roughly 500 locations across the country. In May 2016, multiple sources began reporting a disturbing pattern of fake charges on credit cards that had been used at some of these locations.
These rumors eventually reached Noodles & Company, prompting it to release the following message:
“We are currently investigating some unusual activity reported to us Tuesday, May 16, 2016 by our credit card processor. Once we received this report, we alerted law enforcement officials, and we are working with third party forensic experts. Our investigation is ongoing and we will continue to share information.”
Note, however, that Noodles & Company didn't contact its customers directly. It certainly could have, given that its payment processor has cardholder info for everyone who has ever visited one of the restaurants. However, Noodles & Company left it up to the card-issuing banks to contact individual customers and send replacement cards. Fortunately, most of these banks provide liability coverage for their users.
Moving forward, Noodles & Company will replace all of its older credit card terminals with EMV-enabled readers — something it should have done when the card industry set an EMV migration deadline for October 2015. Had the company met that deadline, it could have avoided this embarrassing and costly data breach.
Case Study No. 2: Wendy's
A similar data breach happened at popular fast food chain, Wendy's. In January 2016, the company began hearing about fraudulent activity through the grapevine, and it released the following statement:
“We have received this month from our payment industry contacts reports of unusual activity involving payment cards at some of our restaurant locations.”
The extent of the damage is still unknown, but as many as 300 point-of-sale (POS) terminals were installed with malware. The company has since hired a security firm to investigate the claims, but many believe that these steps aren't enough. As recently as April of this year (four months after the breach discovery), some of “Wendy’s locations were still leaking customer card data.”
Like Noodles & Company, Wendy's hadn’t upgraded its POS terminals to the more secure EMV standard, but this appears to have been a deliberate and conscious decision — and not a mere oversight. As recently as three years ago, the company's VP and treasurer Gavin Waugh publicly dismissed EMV technology and downplayed the damage that data breaches could inflict:
“Our actual fraud rate is so small it’s hardly worth mentioning… [EMV] doesn’t move the needle that much. Even if we pay the fraud liability, it’s a whole lot cheaper than putting in [EMV] terminals.”
Needless to say, Wendy's is now trying to update its POS terminals as quickly as possible, but it may be too little too late. The company's data breach could become one of the highest profile tests of the new liability rules that went into effect after the EMV deadline. If Wendy's is found guilty of negligence, it may be liable for fraudulent losses, legal fees and credit card replacements — all of which pale in comparison to the potential loss of consumer confidence and future sales.
Word to the wise: If you haven't upgraded your own in-store readers with EMV-ready terminals, let the above case studies serve as cautionary tales.
To learn how we can help you make the transition, contact our payment security team today.