SAN FRANCISCO — Malware on cash registers at Arby's fast food restaurants may have resulted in the breach of more than 355,000 credit and debit cards.
The incident was first reported by security researcher and writer Brian Krebs and may have affected cards used at hundreds of the chain's restaurants. Only Arby's restaurants owned by the Atlanta, Ga.-based company were affected, not its franchises.
The malware allowed attackers to remotely steal data from each credit card as it is swiped at the cash register. This is the same type of point-of-sale attack behind the mammoth credit card breaches at Target and Home Depot.
Arby’s Restaurant Group, Inc. said in a statement that it had recently launched an investigation of its payment card systems after learning of a possible data breach. The company immediately notified law enforcement and hired computer security companies to investigate.
It also eradicated the malware from systems at restaurants that were impacted, the company said.
Initial reports of the attack appear to have come from PSCU, a credit union service group and occurred between Oct. 25, 2016 and January 19, 2017, Krebs reported.
That could mean that problems with non-credit union issued credit and debit cards have yet to be reported, which could mean that more breached accounts will be reported over time.
Dan Berger, the CEO of the National Association of Federally-Insured Credit Unions, called the ongoing waves of retail data breaches “a national nightmare” and reiterated the organization’s call for a national data security standard for retailers.
“Last year, the number of data breaches shattered all records and climbed 40% higher than reported in 2015 and there is no sign of the criminals letting up. In 2017, we have already hit 110 breaches, a 36% percent hike over the same time last year,” said Berger.
Arby's reminded customers that “it is always advisable to closely monitor their payment card account statements for any unauthorized activity. If guests discover any unauthorized charges, they should report them immediately to the bank that issued their card,” the company’s statement said.