Susan Tompor

Detroit Free Press Personal Finance Columnist

Michigan credit unions say the fraud was extensive involving the Wendy's security breach.

The Wendy's security breach took place some time from December 2015 through June 2016.

Michigan consumers who might have picked up a Wendy's Frosty or a Dave's Triple in the past six months or so need to pay attention to news of yet another security breach involving credit cards.

A long list of Michigan outlets that were hit by the security breach are listed online but you need to scroll at the Wendy's site http://payment.wendys.com/paymentcardcheck.html to find specific stores that were hit.

The dates range from Dec. 2, 2015, through June 8.

Four Wendy's were impacted in Ann Arbor, four in Livonia, four in Jackson, three in Lincoln Park, two in Clinton Township, two in Lansing and one each in Chesterfield, Detroit, Dearborn, East Lansing, Fowlerville, Hillsdale, and Northville. About 50 cities in Michigan are listed.

What do you do if you used a credit card or debit card at one of these locations? Wendy's has a toll-free number for you to call at 866-779-0485 from 9 a.m. to 6:30 p.m. weekdays to learn about fraud consultation services. See wendys.com/notice for information online, including the phone numbers to put a fraud alert on your accounts.

Consumers may also want to contact their bank or credit union, and make sure you pay extra attention to the money in your checking account, if you used a debit card. Several credit unions have been reporting an unusual level of debit card fraud that they claim is related to the breach at Wendy's.

Watchdog Krebs On Security reported that Wendy's first began investigating a card breach early this year. Some credit union officials, he said, were reporting that the losses so far from the Wendy’s breach had eclipsed what they were hit with in the wake of the Home Depot and Target breaches.

The Michigan Credit Union League, its member credit unions and the Credit Union National Association said they are advocating for stronger accountability for merchants and card network companies after a data breach at Wendy’s forced a number of Michigan credit unions to cover the associated costs. The national credit union association announced it was joining a data-breach lawsuit against the restaurant chain.

One Michigan credit union, Belle River Community Credit Union, reportedly paid $8,000 in fraudulent charges.

In addition, the credit union claimed it paid $1,000 in out-of-pocket costs to issue new cards as a result of the breach.

Credit unions and others are seeking tougher regulations regarding reporting of breaches.

"Retailers big and small experience a breach, and months go by without any notice to credit unions of which cards are compromised, which results in a spike in fraud losses — and once again, local credit unions are left holding the bag,” according to a statement from Michigan Credit Union League CEO Dave Adams.

Wendy’s is offering one year of complimentary fraud consultation and identity restoration services to all customers who used a payment card at a potentially affected restaurant during the specific time of the breach.

Wendy's said the additional malware targeted the cardholder name, credit or debit card number, expiration date, cardholder verification value and service code. But Wendy's said the three or four digit number used for online transactions was not hit in the security breach.

"We recommend that you remain vigilant for incidents of fraud and identity theft by reviewing credit card account statements and monitoring your credit report for unauthorized activity," according to a letter that Wendy's posted online that was signed by Todd Penegor, president and CEO of the Wendy's Co.

Contact Susan Tompor: stompor@freepress.com or 313-222-8876. Follow her on Twitter @Tompor.