February 9, 2017

Sources at nearly a half-dozen banks and credit unions independently reached out over the past 48 hours to inquire if I’d heard anything about a data breach at Arby’s fast-food restaurants. Asked about the rumors, Arby’s told KrebsOnSecurity that it recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide.

arbys2A spokesperson for Atlanta, Ga.-based Arby’s said the company was first notified by industry partners in mid-January about a breach at some stores, but that it had not gone public about the incident at the request of the FBI.

“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement provided to KrebsOnSecurity.

“Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” their statement continued. “While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted.”

Arby’s said the breach involved malware placed on payment systems inside Arby’s corporate stores, and that Arby’s franchised restaurant locations were not impacted.

Arby’s has more than 3,330 stores in the United States, and roughly one-third of those are corporate-owned. The remaining stores are franchises. However, this distinction is likely to be lost on Arby’s customers until the company releases more information about individual restaurant locations affected by the breach.

“Although there are over 1,000 corporate Arby’s restaurants, not all of the corporate restaurants were affected,” said Christopher Fuller, Arby’s senior vice president of communications. “But this is the most important point: That we have fully contained and eradicated the malware that was on our point-of-sale systems.”

The first clues about a possible breach at the sandwich chain came in a non-public alert issued by PSCU, a service organization that serves more than 800 credit unions.

The alert sent to PSCU member banks advised that PSCU had just received very long lists of compromised card numbers from both Visa and MasterCard. The alerts stated that a breach at an unnamed retailer compromised more than 355,000 credit and debit cards issued by PCSU member banks.

“PSCU believes the alerts are associated with a large fast food restaurant chain, yet to be announced to the public,” reads the alert, which was sent only to PSCU member banks.

Arby’s declined to say how long the malware was thought to have stolen credit and debit card data from infected corporate payment systems. But the PSCU notice said the breach is estimated to have occurred between Oct. 25, 2016 and January 19, 2017.

Such a large alert from the card associations is generally a sign of a sizable nationwide breach, as this is likely just the first of many alerts Visa and MasterCard will send to card-issuing banks regarding accounts that were compromised in the intrusion. If history is any lesson, some financial institutions will respond by re-issuing thousands of customer cards, while other (likely larger) institutions will focus on managing fraud losses on the compromised cards.

The breach at Arby’s comes as many credit unions and smaller banks are still feeling the financial pain from fraud related to a similar breach at the fast food chain Wendy’s. KrebsOnSecurity broke the news of that breach in January 2016, but the company didn’t announce it had fully removed the malware from its systems until May 2016. But two months after that the company was forced to admit that many Wendy’s locations were still compromised.

B. Dan Berger, president and CEO of the National Association of Federal Credit Unions, said the number of cards that PSCU told member banks were likely exposed in this breach is roughly in line with the numbers released not long after news of the Wendy’s breach broke.

“Hundreds of thousands of cards is a big number, and with the Wendy’s breach, the alerts we were getting from Visa and MasterCard were in the six-digit ranges for sure,” Berger said. “That’s probably one of the biggest numbers I’ve heard.”

Berger said the Wendy’s breach was especially painful because the company was re-compromised after it scrubbed its payment systems of malicious software. Many banks and credit unions ended up re-issuing customer cards several times throughout last year after loyal Wendy’s customers re-compromised their brand new cards again and again because they routinely ate at multiple Wendy’s locations throughout the month.

“We had institutions that stopped approving debit and credit transactions through Wendy’s when they were still dealing with that breach,” Berger said. “Our member credit unions were eating the costs of fraud on compromised cards, and on top of that having to re-issue the same cards over and over.”

Point-of-sale malware has driven most of the major retail industry credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware sometimes is installed via hacked remote administration tools like LogMeIn; in other cases the malware is relayed via “spear-phishing” attacks that target company employees. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).

109 thoughts on “Fast Food Chain Arby’s Acknowledges Breach

  1. C Calamis

    Are we not forgetting that it is the criminals who are causing this? Let’s not just jump on the companies, the clearing houses, or the banks right away. There is plenty of blame that can be assigned, but the real criminals are the ones that steal and then sell the data. Banks were too busy arguing over the encryption method used in the chips for years, as they made billions of dollars saying that fraud was a reason they have to charge high interest and late fee rates. As a employee for a large corporation, I can tell you that there are many places along the way where information can be intercepted, not just at the POS terminal. Companies for the most part do not want this kind of publicity, and do take security seriously. However I do agree with the opinion that on the other hand, many executives will just want to point the finger at another managed service company they contracted with and say that they did not live up to their SLA and that there will be financial penalties. Alot of good that will do when people stop shopping at their stores for fear of theift of their information

  2. Rizzo

    Where are these being sold? Clearly rescator isnt in business.

  3. Robert Ostrow

    I am amused that the internet has become a haven for
    criminals. I am reading Spam Nation and I see how the opportunist will use technical skills to rip people off. There is more to life then staying on the internet and stealing people’s lives, money and property. The book is very enlightening and interesting, how highly educated people, waste time on the internet trying to defeat the powerless.

    1. Mike Scott

      I think we are missing some points here. Cyber criminals are not “wasting” their time on the internet. They are making millions of dollars and living in a country where they are seen as hero’s and live like kings. While it isn’t an honest living, it isn’t hard to see how someone could be attracted to a crime with high payouts and minimal risk.

      Talks of EMV are really not going to address the problem. EMV can move some liability from the merchant and make monetization of cards more difficult. From there they will move to online targets and eventually crack EMV which is not exactly new technology. Visa and Mastercard want you to believe EMV is the solution, they get yet another part of the transaction even if you are using a non-Visa or Mastercard card.

      I agree that we have to stop treating merchants like criminals. We don’t hold a bank liable and slam them all over the web when they are robbed. Encryption is the key to this, of course no one can settle on standards as the vendors are all trying to secure the billions of dollars in potential for themselves and lock you into their technology. Having spent many years at a merchant, my experience is that there isn’t a lack of desire to move to P2PE but there are so many roadblocks it is very difficult to implement.

  4. JJ

    Brian, the date on the article is Feb. 17th. You’re good, but you’re not that good. Yet. 🙂

      1. Frank

        This causes a lot of confusion. Maybe change the year to 4 digits? I’m sure you’ve had this suggestion before. And I know it will make the date a bit less compact. But this comes up so often, perhaps it is worth trading a little less sleekness for a lot more clarity?

  5. Cole Pendleton

    Is it possible to get a listing of the corporate locations?

  6. Dannielle West

    If we could get a list of stores involved would be great!

  7. celdor

    i see usa is easy country? Just be smart and take the cashh.

  8. amigo

    Uk au ca and usa all corrupted full of chaos naitions.
    Countries like norway sweden finland you get much
    Better life quality. Im fed up this news what i hear
    From news about english speaking countries.
    What is wrong in Usa ??? I think its end of usa

  9. E.M.H.

    Well, since number of exposures are a factor of risk analysis, I can tell you all right now I am so screwed.

  10. JB

    Who was the solution provider and what was the brand of point of sale system?

  11. Not Another Breach

    Do we know if Arby’s is EMV compliant yet? I am going to assume they are not, but am hopeful to hear I am wrong.

    1. Larry OConnor

      EMV has been a logistics issue at QS restaurants. Traditional EMV is a 20 second Auth/Capture process post sale input. That’s an eon in fast food time.

      Visa and other card brands have now agreed on a “Quick Chip” model that reduces the time to, typically, under 5 seconds. 2017 should be a big time for adoption as Quick Chip gains momentum. Readers should all be encrypted at input, which also reduces exposure for all card present merchants.

      1. Joe Filip

        is there more info on this quick chip? is it in the field now and will it be another hardware upgrade?

  12. fritz

    There could be a more secure fast way to pay small amounts of money like in fast food chains. I use the Gelkarte, thats a chip on my bankcard, mostly for paying my train ticket once a week instead of using my bankcard with a pin or taking care to have enough cash on me.

    From Wikipedia:
    GeldKarte (German: “money card”) is a stored-value card or electronic cash system used in Germany. It operates as an offline smart card for small payment at things like vending machines and to pay for public transport or parking tickets. The card is pre-paid and funds are loaded onto the card using ATMs or dedicated charging machines.

    The first field trial took place in 1996 in Ravensburg. Despite a slow initial take up from merchants and customers, it was their use in vending machines that made the system popular.

    Cigarette vending machine in Germany with GeldKarte slot. The inscription translates as: “From 1 January 2007. With card, without ‘complicated’. Insert your card, get a pack”.

    Since 1 January 2007, the card can be used to prove the holders age at cigarette vending machines. The date of birth is encoded on the card and must be verified when the card is issued, allowing the vending machine to only dispense cigarettes to those who are older than 18 years of age, the legal limit in Germany.

    By 2009, 132 million Euros were spend through the GeldKarte system. The average transaction had a value of €3.[1]

    Many banks now issue cards with contactless GeldKarte functionality (branded as girogo).

  13. JerrBear

    If I were the bad guys I would have a War Room set up with a flow chart of possible actions industry could take to stop my criminal activity. I would then hire computer scientists to set up a Think Tank to already have contingency plans made for those actions. Something like the Military does future wars and insurrections. I don’t think any legitimate company or industry is smart enough to do that since they are always (and probably only) focused on the next quarter’s profits. Plus it’s harder to implement industry changes than hacking companies, one company at a time.

  14. Albert Trotter

    well ! there is no way to be protected from cyber criminal…i guess the only solution to the problem is that do the online transaction as less as possible

Comments are closed.