Arby’s Restaurant Group Inc. is investigating a possible data breach in its point-of-sale systems that may involve more than 355,000 credit and debit cards.
The Atlanta-based Arby’s said it notified law enforcement and brought in leading security experts to investigate malware found on its point-of-sale system.
“While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted,” said Christopher Fuller, spokesman for the Arby’s Restaurant Group, in an email Monday.
The possible data breach, first reported Thursday by security expert Brian Krebs at his KrebsOnSecurity website, occurred in a window between Oct. 25 and Jan. 19, according to a notice from Payment Systems for Credit Unions, a service organization for the industry.
Krebs said Arby’s was notified of the possible breach in mid-January but did not go public at the request of the Federal Bureau of Investigation.
Krebs added that the malware involved company-owned stores and franchised units were not impacted. About a third, or just more than 1,000, of Arby’s 3,300 restaurants are company owned, according to Nation’s Restaurant News’ most recent Top 100 census.
The company said not all company-owned stores were affected by the malware. A list of restaurant locations affected by malware is not available.
Krebs said the first alerts about a possible breach and compromised Visa and MasterCard numbers were issued by PSCU, a service organization that serves more than 800 credit unions.
“The breach at Arby’s comes as many credit unions and smaller banks are still feeling the financial pain from fraud related to a similar breach at the fast-food chain Wendy’s,” KrebsOnSecurity noted.
The Wendy’s Co., based in Dublin, Ohio, last July acknowledged an October 2015 POS system attack affected 1,025 franchised locations.
Other major retailers, including Target and Home Depot, have experienced point-of-sale malware and payment card breaches over the past several years.
Arby’s has set up a website, arbys.com/security, to provide information on the possible data breach, though it currently offers only a blanket statement on the investigation.
“ARG reminds guests that it is always advisable to closely monitor their payment card account statements for any unauthorized activity,” the Arby’s statement said. “If guests discover any unauthorized charges, they should report them immediately to the bank that issued their card.”
Contact Ron Ruggless at [email protected]
Follow him on Twitter: @RonRuggless