Arby’s has confirmed that a massive data breach has occurred at “hundreds” of its restaurants, potentially putting more than 355,000 of its customers’ credit and debit cards into the hands of hackers. The hackers reportedly placed malware on the payment systems of corporate stores, and the possible carnage looks serious — the National Association of Federal Credit Unions’ CEO describes it as “probably one of the biggest numbers I’ve heard.” Krebs on Security was tipped off to the breach by insiders, and reports Arby’s learned about it in mid-January, but was waiting to go public at the FBI’s request.
Krebs says the first clues appeared in an alert issued by a large credit-union service organization called PSCU. The notice informed members it had received “very long lists” of compromised Visa and MasterCard numbers “associated with a large fast food restaurant chain, yet to be announced to the public.” Arby’s says it reported the attack immediately and has brought in a team of security experts, just like Wendy’s did after suffering a similarly huge breach last year.
The company stresses that franchise locations are not affected. In total, it has more than 3,300 American stores, and just over 1,000 are Arby’s-run. A rep for the chain further explains — still without offering terribly helpful specifics — that “not all” of these corporate locations were impacted, either. The “most important point” to take away, he adds, is that Arby’s has “fully contained and eradicated the malware.”