ATLANTA, Ga.—Arby’s Restaurant Group has acknowledged that some of its stores have been hit by a data breach, according to KrebsOnSecurity.
Arby’s told KrebsOnSecurity that it recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide. Reports indicate that 355,000 cards are involved.
Krebs reported that a spokesperson for Arby’s said the company was first notified by industry partners in mid-January about a breach at some stores, but that it had not gone public about the incident at the request of the FBI. PSCU is credited for initially discovering the breach.
“Arby’s Restaurant Group, Inc. was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement provided to KrebsOnSecurity.
Arby’s told Krebs that when it learned of the hack that the company immediately notified law enforcement and enlisted the help of leading security experts, including Mandiant.
“While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted,” Arby’s said in the statement to KrebsOnSecurity.
Arby’s said the breach involved malware placed on payment systems inside Arby’s corporate stores, and that Arby’s franchised restaurant locations were not impacted. Arby’s has more than 3,330 stores in the United States, and roughly one-third of those are corporate-owned, KrebsOnSecurity reported.
“The continuing saga of retail data breaches have become a national nightmare. Cybercriminals are on a binge to capture American consumers’ valuable personal and financial data at every opportunity. The lack of a national standard of protection for merchants makes it easier for them,” said NAFCU President and CEO Dan Berger. “Last year, the number of data breaches shattered all records and climbed 40% higher than reported in 2015. And there is no sign of the criminals letting up. In 2017, we have already hit 110 breaches, a 36% hike over the same time last year. This breach is another example of why Congress must act to implement national data security standards for retailers now.”
"It's just another example of the consequence of Congress' failure to enact strong data security standards on merchants that accept payment cards," said CUNA Chief Advocacy Officer Ryan Donovan.