Wendy's customers asked for weeks: Where's the breach?
And for weeks it remained a mystery.
In early January, many customers who frequented the burger joint's locations in Florida, Nevada, California and Illinois began to complain on social media about unauthorized transactions on their credit cards. Kristin Faltin, a student at Northern Illinois University, suspected her credit card information was stolen in early January after a trip to a Wendy's in DeKalb, Illinois.
"It was through a drive-thru, so I'm not sure if it was run through a card reader," Faltin told CNBC.com. "I had insufficient funds or not enough credit so they weren't able to get much from my account."
News of the Wendy's hack didn't surface until security blogger Brian Krebs reported it in late January. When Wendy's reported earnings in February, it acknowledged "unusual credit card activity" stemmed from malware on certain Wendy's restaurants systems. What it didn't say is whether those restaurants were owned by the companies or by franchisees.
Therein lies the rub.
The big difference between Wendy's malware incident and other prominent hacks, like the one Target suffered during the holiday shopping season in 2013, lies in where responsibility for the breach is assigned.
In late 2015, the credit card industry imposed rules on itself requiring all retailers to upgrade to new card readers that accept EMV (Europay, MasterCard, Visa) chips, meant to enhance security. The readers require users to insert, not swipe, their cards.
Part of the new EMV card reader machine protocol moves fraud liability away from banks and to retailers and merchants. Failure to upgrade to the new system, for which the initial deadline has already passed, doesn't carry any specific punishment with it — unless the business owner is victim of a hack. In the case of this year's Wendy's hack, if the franchisees are at fault they will face the brunt of costs affiliated with reimbursing hacking victims.
Hackers don't discriminate between company-owned stores and franchises, and likely had no way of knowing whether they were attacking a corporate entity or a small franchisee with a few million dollars in revenue and several dozen employees. Regardless of whether business owners are franchisees or independent business owners, the liability has already moved away from corporate parents and big banks to small businesses.
"Each franchisor contract is different; they can mandate franchisees use certain technologies," said Jim Huguelet of The Huguelet Group, an information technology consulting firm specializing in retail. "If they haven't looked at their contracts recently, I would suggest they take a look" to determine liability in the event of a hack.
Many Wendy's franchisees have yet to make the upgrade to new card-reading technology.
In its annual investor day report, Wendy's told shareholders that it has deployed new point-of-sale technology in all of its restaurants, but that 40 percent of all restaurants, which includes franchisees, have yet to make the upgrade. The company said it expects to complete full installation of new point-of-sale technology by the end of 2016.
When asked if Wendy's new point-of-sale technology includes EMV card readers, company spokesman Bob Bertini said most stores have yet to install the readers.
That would put Wendy's more than a year behind the credit card industry's deadline for full compliance with the new rules.
The burger chain is not alone. Consulting firm Strawhecker Group, which focuses on payments, found that of 90 companies representing about 4 million merchants, nearly 40 percent of respondents had fallen behind in their EMV reader implementation plan.
"A lot of key stakeholders in the EMV migration were not prepared," said Jared Drieling, Strawhecker's business intelligence manager.
The Wendy's Faltin visited, and where she suspected her account was hacked, isn't owned by the corporation. It is affiliated with Saren Restaurants. Faltin said she was reimbursed quickly for the card she suspects was compromised at Wendy's.
Saren Restaurants runs seven other Wendy's in Illinois, its operations executive Sean Niklas told CNBC. Niklas says the hacking incident stemmed from legacy point-of-service technology used at certain restaurants. He said the location where Faltin believes her account was hacked did not have upgraded payment readers, but that he plans to install them in all of his stores.
Instead of swiping a credit or debit card, the new EMV machines require users to insert their cards briefly into the machine. The process takes marginally longer than swiping cards, which has created consternation but didn't appear to generate a real impact on retailer revenues during holiday shopping season after the new rules were implemented in October. The industry expectation for the new EMV credit and debit cards is that consumers' data will be better protected and more difficult to steal at the point-of-sale. Still, the shift in liability has generated consequences for retailers and customers alike.
"It's increasingly likely this is going to get resolved through litigation," said David King, a senior manager focused on cybersecurity and compliance with UHY Advisors.
In fact, it already is.
Whereas Faltin was reimbursed, not every hack victim is so quickly remunerated.
A Florida man says he got charged for hundreds of dollars by national retailers after his account was hacked at a Wendy's. His credit union has yet to reimburse him and he is suing Wendy's for damages, according to his attorney, John Yalchunis. Yalchunis said the case is being handled as a class action suit, meaning the burger chain's problems could be growing as a result of the January hack.
Wendy's has other legal headaches. The company and one of its biggest franchisees, DavCo Restaurants, have sued each other in a dispute over Wendy's decision to require franchises to install new point-of-sale systems and make other site upgrades that DavCo said are too costly.
DavCo executives and their lawyers did not respond to requests seeking comment. Wendy's declined to comment on the lawsuits.
"Until this investigation is completed, it is difficult to determine with certainty the nature or scope of any potential incident," said Bertini, the Wendy's spokesman. "Because the investigation is active and ongoing, we cannot provide additional details at this time."
Huguelet said many insurance policies available to small businesses and franchisees may not cover fraud or losses if the policyholder is deemed to have contributed to the incident by not making industry-mandated upgrades to payment card readers. When Target saw its computer systems compromised, it cost the company about $150 million, not counting a $38 million insurance payout the retailer received. It's unlikely that, in the event of a hacking incident for which a store owner or franchisee is liable, they would be similarly protected.
However, just because a retailer, big or small, has suffered a hack doesn't mean banks will come calling with a bill. It takes a certain loss threshold — according to one security expert, around $100,000 — to get FBI resources dedicated.
"There has to be more significant damages for someone to start conducting an investigation," said Ondrej Krehel, founder and CEO of digital forensics and cybersecurity firm Lifars.
The new EMV chip rules are no different for independent retailers using mobile pay products like Square.
Although it has not yet been adopted widely, the payments company also makes an EMV chip card reader, which it advertises at its website. Square began shipping the new EMV readers, which also are enabled to accept mobile payments, in November. The company declined to comment on how widespread adoption has been; Square also continues to sell its card readers that do not have EMV card capabilities.
On a recent CNBC "Mad Money" appearance, the current CEO of Wendy's, Emil Brolick, was joined by CFO Todd Penegor, who will replace Brolick when he retires this year. Penegor said that one of the burger company's priorities is implementing new technology into its points of sale.
"We're spending a lot of money to really work on consumer facing technology," Penegor said, meaning self-order kiosks at restaurants, mobile orders and mobile payment. "What we really want to do is put the hands of those operations into the consumer."
But, ideally, also out of the hands of hackers.