Arby’s Admits Data Breach at Hundreds of Locations Due to Malware

It might be wise to start using cash to pay for your fast food habit.

Arby’s Restaurant Group is investigating a possible data breach due to malware installed on its point-of-sale systems. More than 355,000 credit and debit cards may have been affected.

Cybersecurity reporter Brian Krebs broke the story on his site.

Arby’s told it “recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide.”

Krebs contacted Arby’s about the possible breach after receiving emails from sources at banks and credit unions asking if he knew anything about such a breach. He took the rumors to Arby’s who said they hadn’t gone public about the incident at the request of the FBI.

Apparently only corporate stores, and not franchised locations, were affected.

While Arby’s owns more than 3,330 stores in the U.S., only one-third are corporate owned.

The company has yet to release more information about which individual restaurant locations were affected.

“Although there are over 1,000 corporate Arby’s restaurants, not all of the corporate restaurants were affected,” said Christopher Fuller, Arby’s senior vice president of communications. “But this is the most important point: That we have fully contained and eradicated the malware that was on our point-of-sale systems.”

It was a non-public alert from PSCU, a service organization that serves more than 800 credit unions, that provided the first clue something was amiss, according to the Krebs post.

The alert warned of a breach at an unnamed retailer that compromised 355,000 credit and debit cards issued by PCSU member banks. It also estimated the breach happened from Oct. 25, 2016 to Jan. 19, 2017. Remember, that number only relates to the 800 credit unions served by PCSU, which is to say the number of folks affected will likely be much larger, as this story on points out.

KrebsOnSecurity broke the news of the Wendy’s breach last year, which affected more than 1,000 of the restaurant’s approximately 6,500 franchise and corporate owned locations. While news of that breach was first released in January 2016, the restaurant didn’t fully remove the malware until May 2016.


Are you covered for identity theft?

Get Covered