An Arby's spokesperson told cybersecurity reporter Brian Krebs, the man behind the popular KrebsonSecurity blog, that the fast-food chain was notified of the data breach in mid-January, but has kept quiet about the situation at the request of the FBI.
"Upon learning of the incident, (Arby's Restaurant Group Inc.) immediately notified law enforcement and enlisted the experience of leading security experts," the company said in a statement released to Krebs. "While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at the restaurants that were impacted."
The fast-food chain did not identify which restaurants were affected by the software but told Krebs that it was found in systems serving the company's corporate stores.
There are more than 3,300 Arby's locations, and a majority of them are franchises, according to the company. Its parent company, Arby's Restaurant Group Inc., owns more than 1,000 of the restaurants.
"Not all of the corporate restaurants were affected," Christopher Fuller, Arby's senior vice president of communications, told Krebs. "But this is the most important point: that we have fully contained and eradicated the malware that was on our point-of-sale systems."
It was not immediately clear how long the malware was stealing card information. However, an alert from PCSU, an organization serves more than 800 credit unions, noted a data breach linked to an unnamed "large fast-food restaurant chain" that affected more than 355,000 credit and debit cards issued by PCSU member banks, Krebs reported.
The alert, which was sent to member banks, said the breach appeared to have lasted from Oct. 25, 2016, to Jan. 19, 2017.
Wendy's suffered a similarly large data breach last year that affected 1,025 restaurants.
In a statement, National Association of Federally-Insured Credit Unions president and CEO Dan Berger warned that data breaches like the ones that affected Arby's and Wendy's are likely to increase.
He urged legislators to create national data security standards for retailers.
"The continuing saga of retail data breaches have become a national nightmare," he said. "This breach is another example of why Congress must act to implement national data security standards for retailers now."
About the Author