Arby's Restaurant Group, Inc., has confirmed that a breach affected payment systems at its corporate restaurant locations. Information security investigative journalist Brian Krebs first learned something was up when several banks and credit unions reached out to him inquiring if he had heard of an incident involving Arby's. He subsequently reached out to the Atlanta-headquartered fast food restaurant chain about those inquiries. In response, a spokesperson for the company confirmed in a statement it had received reports about a breach in mid-January but hadn't publicly disclosed it at the request of the FBI. As quoted by Brian Krebs:
“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems. Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant. While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted."
At this time, the incident appears to have taken place between 25 October 2016 and 19 January 2017. Those responsible for the breach installed malware onto the payment card systems at at least some of Arby's 1,000+ corporate restaurant locations in the United States. Fortunately, the restaurant chain has found no evidence to suggest the breach affected any of its other 3,300 U.S. locations, the remainder of which are franchises.
No doubt Arby's will release more information about the incident, including which of its corporate locations the malware affected. While we wait for these updates, customers who visited an Arby's during the time frame mentioned above should watch their payment card statements for unauthorized transactions. If they see any charges that they didn't make, they should notify their card issuers immediately. No one will hold them responsible for those transactions so long as they report them in a timely manner. News of this breach follows more than a year after Wendy's, another fast-food restaurant chain, announced it was investigating a payment card breach.
