According to a report from respected security journalist Brian Krebs, hundreds of Arby’s stores have had their payment systems hacked, compromising the credit cards of hundreds of thousands of customers. Although the hack is far from the largest we’ve seen in recent years, the number of credit cards stolen — and the fact that it was done at Arby’s, the home of cheap road-trip comfort food — makes it all the more painful.
Arby’s confirmed that a breach had hit some of its corporate stores at some point late last year. In a statement to Krebs, the restaurant chain said that it hadn’t gone public with the information at the request of the FBI:
“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement provided to KrebsOnSecurity.
“Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” their statement continued. “While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted.”
The hack seems to have hit the point-of-sale or payment-processing systems in the restaurants, which would have allowed hackers to gather complete credit card information on customers. There are around 1,000 corporate-owned Arby’s stores in the US, and it seems that a majority (but not all) of those stores were hit.
An estimate provided by a credit union organization put the damage at around 335,000 compromised cards. Hackers can get the data from any card that was swiped with the magnetic strip at a point-of-sale terminal, and then use that data to easily create a fake credit card and go on a shopping spree.
Consumers aren’t responsible for fraud on credit cards; that burden falls on providers like Visa and Mastercard, who are consequently working hard to roll out more secure technology like Chip-and-PIN, which is much harder to hack.