Credit Card Data Breach at Arby’s

Credit Card Data Breach at Arby’s

February 9, 2017         Written By Bill Hardekopf

Fast food chain Arby’s has been hit with a security breach that may have compromised at least 355,000 debit and credit cards.

Arby’s has confirmed the breach with Brian Krebs of KrebsOnSecurity. It is believed the breach could have affected hundreds of stores, though Arby’s has not yet commented on how long the payment systems were compromised. The PSCU, a servicing company for credit unions, said it is likely the breach happened between October 25 and January 19.

Krebs initially learned of the possible breach when six banks and credit unions independently contacted him to ask if he had heard anything about a breach at Arby’s. When Krebs reached out to the chain, they confirmed they had dealt with a breach involving malicious software installed on the payment card systems at hundreds of restaurants.

An Arby’s spokesperson said they had been notified in mid-January about the breach by some of their industry partners, but they had not released details to the public at the behest of the FBI.

“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement to KrebsOnSecurity. “Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” their statement continued. “While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted.”

The malware had been placed on corporate stores, so Arby’s franchised restaurants should not be impacted. Of the 3,330 Arby’s stores across the country, about one-third are corporate-owned.

This attack was similar to the ones that struck Target and Home Depot. The attackers installed malware on the payment systems, which allowed them to remotely steal data from every debit or credit card that was swiped. Criminals are able to access the payment network through the account of someone who has legitimate access. Generally, the authorized user’s login credentials are stolen through a phishing email. Once the hacker gets into the payment network, every payment terminal linked to the system is infected.

Arby’s has advised customers to keep an eye on their payment card account statements and report unauthorized activity immediately.

The information contained within this article was accurate as of February 9, 2017. For up-to-date
information on any of the terms, cards or offers mentioned above, visit the issuer's website.


About Bill Hardekopf

Bill Hardekopf is the CEO of and covers the credit card industry from all perspectives. Bill has been involved with personal finance for over 15 years. He is a frequent contributor to Forbes, The Street and The Christian Science Monitor.
View all posts by Bill Hardekopf
Featured Low Interest Card
Top Features : 1.25X miles on every purchase; no annual fee; bonus of 20,000 miles once $1,000 is spent in first 3 months
Featured No Annual Fee Card
Top Features : Earn cash back twice. 1% when you buy plus 1% as you pay; 0% APR for 18 months on balance transfers
Featured Bad Credit Card
Top Features : No Annual Fee; Cash Back match at the end of your first year; Social Security Alerts
Featured Fair Credit Card
Top Features : No annual fee; access to higher credit line after making first 5 monthly payments on time
Featured Limited/No Credit
Top Features : No annual fee; reports to major credit bureaus; access to higher credit line after making first 5 monthly payments on time
Featured Cash Back Card
Top Features : No Annual Fee, Bonus Offer, Cash Back