Arby’s Admits Malware Infection And Credit Card Breach At Hundreds Of Restaurants

Image courtesy of Nicholas Eckhart

The last time you satisfied your craving for seasoned curly fries at Arby’s, did you use a credit or debit card? It’s time to start watching your statements for fraudulent transactions and also to watch your mailbox for a new card: Arby’s announced a payment card breach at a few hundred of its restaurants.

The fast-food chain came clean only when Krebs on Security inquired about a possible breach, claiming that the FBI had asked the company not to announce the malware incident.

“While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted,” an Arby’s spokesperson said in a statement to Krebs.

This was a familiar attack from recent breaches at businesses like Wendy’s, InterContinental Hotels, and Noodles and Company: The restaurants’ payment terminals were infected with malware, which captured customers’ payment card numbers, which the thieves in turn put up for sale.

That means your card data is probably safe if you use it at a corporate-owned Arby’s from here out. You probably don’t know whether your favorite Arby’s is a corporate-owned or franchised location, though, and there isn’t yet a list of affected restaurants.

PSCU, a cooperative of credit unions that provides services to member financial institutions, told its members in an alert provided to Brian Krebs that 355,000 cards were compromised in the Arby’s breach just among the 800 credit unions that PSCU serves. The organization also estimates that the malware was gobbling card numbers between Oct. 25, 2016 and Jan. 19, 2017.

Remember to comb your credit and debit card statements for unfamiliar-looking transactions all of the time, not just when you’ve heard that a retailer you visited has been breached.

We are awaiting a statement on the breach from novelty Twitter account Nihilist Arby’s.