Arby’s under the microscope after breach

Atlanta-based Arby’s Restaurant Group Inc. disclosed Feb. 9, 2017, that a data breach may have affected more than 355,000 consumer credit and debit cards. Payment Systems for Credit Unions, a trade association representing more than 800 credit unions, notified Arby’s in January 2017 when its card-issuing member banks traced thousands of compromised cards to select corporate stores in the fast food chain. PSCU analysts believe the POS systems became infected with malware between Oct. 25, 2016 and Jan. 19, 2017.

Christopher Fuller, Senior Vice President of Communications at Arby’s, stated that not all corporate restaurants had been affected and emphasized the situation has been fully contained. Noting in a Feb. 9 statement that consumer credit and debit cards have become a tempting menu item for fraudsters, B. Dan Berger, President and Chief Executive Officer of the National Association of Federal Credit Unions, called for a national standard of protection. “The continuing saga of retail data breaches have become a national nightmare,” Berger stated. “Cybercriminals are on a binge to capture American consumers’ valuable personal and financial data at every opportunity.”

Berger said that data breaches climbed 40 percent in 2016, compared with the previous year, a record that is being surpassed in 2017. “In 2017, we have already hit 110 breaches, a 36 percent hike over the same time last year,” he said. “[The Arby’s] breach is another example of why Congress must act to implement national data security standards for retailers now.”

Protecting PII

Berger additionally cited statistics from the Identity Theft Resource Center that found retailers were targeted in 45.2 percent of the 494 data breach incidents reported in 2016. He vowed to push for legislation designed to protect retailers while holding them responsible for breaches.

Berger said the NAFCU is seeking to pass legislation to protect credit unions that comply with the Gramm-Leach-Bliley Act. The federal law, passed in 1999, provides guidance to businesses and financial institutions on methods for managing and storing personally identifiable information (PII). The law requires companies to clearly, conspicuously and accurately disclose information-sharing practices and allow customers to opt out of sharing their information with third parties.

Malware footprints

Alex Vaystikh, a cybersecurity veteran with expertise in applied research and product development, is Chief Technology Officer at SecBI, an Israeli cybersecurity company. Vaystikh sees similarities between the Arby’s breach and the highly publicized Target Stores Inc. intrusion reported in 2013, because in both cases, malware operated within the merchant’s network, collecting data and “exfiltrating” it over several months. “The malware spread from device to device, controlled remotely by an opportunistic hacker,” he stated.

Vaystikh suggested the long span of the Arby’s attack may indicate two distinct possibilities: Arby’s may be operating without sensors (for example, network gateways that log the network behavior of their device populations), or the company lacks the analytics tools that can process the huge amounts of data generated by the gateways.

“To date, the leading cause of breaches has been a lack of analytics to empower the security analysts,” he said. “This is what happened to Target, as the company attested in its post-breach public brief to the Senate. It’s probably what happened to Arby’s in this case too.”

Next steps

Arby’s is working closely with the FBI and the cybersecurity firm Mandiant on the continuing post-mortem investigation and has taken measures to “eradicate the malware from systems at restaurants that were impacted,” according to company representatives.

The company created a new website,, where it will post updates on remedial activities. A statement on the website reminds guests to monitor their payment card accounts for suspicious activity. “If guests discover any unauthorized charges, they should report them immediately to the bank that issued their card,” Arby’s stated.

Comments are closed.