Jackson, Mich.-based American 1 Credit Union is temporarily blocking all credit and debit card transactions at Wendy's locations, claiming that members are still reporting fraudulent activity on reissued cards, even though the fast food chain says the malware responsible for the recent data breach has been disabled at all franchise locations.
American 1 said in a statement it intends to continue blocking all Wendy's transactions until further notice.
The $300 million-asset credit union estimated that total losses to date due to the Wendy's cyberattack are equal to the losses it incurred following the massive Home Depot data breach in 2014 and that they will "continue to grow." The credit union did not provide specifics on total losses tied to either breach, but said that more than 4,200 cards had to be reissued to members as a result of the Home Depot breach. Of the stolen funds returned to members' accounts, only 11% of that amount was covered by insurance, with American 1 CU paying for the remaining 89% of losses out of pocket.
According to data from the Credit Union National Association, the Home Depot breach cost the industry nearly $60 million.
"When malicious cyberattacks like the recent attack on Wendy's occur, there are many victims," said David Puckett, CEO of American 1 CU, in a statement. "Not only are the cardholders' assets put at risk, but the financial institutions that issued the cards are left to foot the bill of any resulting theft – not wanting their members to suffer from an unfortunate event that was neither party's fault. It's a no-win situation."
American 1 CU claims to have the largest card base of any financial institution in the Jackson County area, with more than 47,000 issued cards. The credit union indicated that more than 18,000 of those cards were compromised with the recent Wendy's cyberattacks. The amount of stolen money American 1 has already returned to its members is "just shy" of the amount returned in the Home Depot cyberattacks with additional disputes being resolved daily.
"Until we are confident that our members' cards are no longer at risk when used at Wendy's, we will continue declining the transactions," added Puckett.
Plenty of Support
Credit union advocacy groups are particularly worried about such fraudulent activities that may harm members.
The Michigan Credit Union League (MCUL) said it is urging the Michigan congressional delegation to pass legislation that would require retailers, such as Wendy's, to meet the same security measures as financial institutions. "[This] would help prevent credit unions from facing such unwarranted financial burdens," said MCUL Senior Regulatory and Legislative Affairs Specialist Sarah Stevenson. "When these breaches happen, it is ultimately consumers who may pay the price as the costs could get passed down to them through higher fees, rates and other increases."
This past summer, on behalf of Michigan credit unions, MCUL joined the class action lawsuit against Wendy's after the data breach.
Similarly, Dan Berger, president and CEO of National Association of Federal Credit Unions (NAFCU), warned that because of massive and ongoing fraud losses caused by merchants like Wendy's, "this highlights the struggles that credit unions face in trying to control fraud losses." Berger added that this is "especially frustrating" when there are repeated fraud losses from the same merchant over and over again.
"Each credit union will need to make their own decision on what is best for their members and institution in controlling these continuous and unending breaches by retailers and merchants," Berger stated.
