Hundreds of Arby’s Restaurants suffered a card breach, the Arby’s Restaurant Group is the second-largest quick-service fast-food sandwich restaurant chain in the US. Arby’s has more than 3,330 stores in the United States, one-third of those is directly owned by the company.
Brian Krebs first learned about the card breach from its sources in the financial industry, later representatives from the group confirmed him the incident. Arby’s Restaurants discovered the security breach in the mid-January when it was alerted by industry partners.
“Sources at nearly a half-dozen banks and credit unions independently reached out over the past 48 hours to inquire if I’d heard anything about a data breach at Arby’s fast-food restaurants. Asked about the rumors, Arby’s told KrebsOnSecurity that it recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide.” wrote Brian Krebs
Why was the incident disclosed only now?
According to the company, the card breach was publicly disclosed only now due to an explicit request made by the FBI.
“A spokesperson for Atlanta, Ga.-based Arby’s said the company was first notified by industry partners in mid-January about a breach at some stores, but that it had not gone public about the incident at the request of the FBI.” continues Krebs.
“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement provided to KrebsOnSecurity.
“Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” their statement continued. “While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted.”
The company hired Mandiant and other security experts to remove sanitize its systems and investigate the card breach. At the time I was writing, the company confirmed that systems have been cleaned up.
“Although there are over 1,000 corporate Arby’s restaurants, not all of the corporate restaurants were affected,” said Christopher Fuller, Arby’s senior vice president of communications. “But this is the most important point: That we have fully contained and eradicated the malware that was on our point-of-sale systems.”
Crooks used a malware to compromise PoS systems at the Arby’s Restaurant Group, it is not clear how many payment cards may have been affected.
According to Krebs, who is aware of an alert from PSCU, more than 355,000 credit and debit cards issued by its members were compromised in a card breach at a major fast food restaurant chain.
The PSCU dated the card breach in the period between October 25, 2016 and January 19, 2017.
On July 2016, another major fast food restaurant chain suffered a card breach, the Wendy’s fast-food chain determined that roughly 1,000 of its restaurants had been breached by cyber criminals.
(Security Affairs – Arby’s Restaurant, Card breach)