Arby's Gets Roasted in Breach of 300K Payment Cards

Written by

Fast-food roast beef emporium has remediated a breach impacting about 300,000 payment cards.

The event involved malicious software installed on payment card systems at hundreds of its corporate-owned restaurant locations across the US—however, franchises were spared.

“Although there are over 1,000 corporate Arby’s restaurants, not all of the corporate restaurants were affected,” Christopher Fuller, Arby’s senior vice president of communications, told Krebs. “But this is the most important point: That we have fully contained and eradicated the malware that was on our point-of-sale systems.”

A spokesperson told independent researcher Brian Krebs that the company was first notified by industry partners in mid-January about a breach at some stores, but that it had not gone public about the incident at the request of the FBI.

“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement. “Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant. While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted.”

Details are so far sparse, but the fact that only corporate-owned locations were impacted indicates a network compromise.

 “[This] implies that the breach happened through a central location, likely corporate HQ, and worked its way out to a number of non-franchised stores, Richard Henderson, global security strategist at Absolute Software, told Infosecurity. “Like many malware attacks, these infections can persist inside networks for weeks and months before someone finds an issue—and in many cases, it can be the anti-fraud technologies of the card issuers themselves that are able to trace the breach to a specific source.”

The National Association of Federally-Insured Credit Unions (NAFCU) weighed in on the breach, stressing the need for national standards. NAFCU was the first financial trade organization to call for national data security standards for retailers, and it continues to push for legislative action on Capitol Hill.

“The continuing saga of retail data breaches have become a national nightmare. Cybercriminals are on a binge to capture American consumers’ valuable personal and financial data at every opportunity. The lack of a national standard of protection for merchants makes it easier for them,” said NAFCU president and CEO Dan Berger. “Last year, the number of data breaches shattered all records and climbed 40% higher than reported in 2015. And there is no sign of the criminals letting up. In 2017, we have already hit 110 breaches, a 36% hike over the same time last year. This breach is another example of why Congress must act to implement national data security standards for retailers now.”

According to the Identity Theft Resource Center (ITRC), in 2016, the business sector, which includes retailers, again topped the list in the number of data breach incidents, with 494 reported, representing 45.2% of the overall number of breaches.

“Unfortunately, there is no comprehensive regulatory structure akin to GLBA that covers retailers, merchants, and others who collect and hold sensitive information,” Berger said “NAFCU continues to seek passage of a data security bill that would create a strong national standard of protection for retailers, recognize credit unions’ compliance with the Gramm-Leach-Bliley Act and hold retailers accountable for breaches occurring on their end.”

That should include supply chain safety, according to Jeff Hill, director of product management at Prevalent Inc.

"When the retail industry is attacked, it very often manifests as a point-of-sale infection,” he said via email. “And point-of-sale device infections nearly always originate at a third party. Target and Oracle/Micros are two of the most high-profile examples, but don’t be surprised if the Arby’s breach is ultimately tied to third-party software that interfaces or runs on the POS devices. Studies vary, but it is generally recognized that at least 40% of all enterprise breaches originate at a third party/vendor. In the retail space, that figure is likely much higher."

What’s hot on Infosecurity Magazine?