“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement provided to KrebsOnSecurity. “Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts,” the statement continued. “While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted.”
According to Arby’s, malware was placed on payment systems within Arby’s corporate stores, but franchised restaurants were not impacted. About a third of Arby’s 3,300 U.S. stores are corporate-owned, but details have yet to be released around exactly which locations were impacted by the breach.
“Although there are over 1,000 corporate Arby’s restaurants, not all of the corporate restaurants were affected,” Christopher Fuller, Arby’s senior vice president of communications, told KrebsOnSecurity. “But this is the most important point: That we have fully contained and eradicated the malware that was on our point-of-sale systems.”
The fast-food chain has yet to reveal how long the malware remained active on corporate payment systems, though it is estimated that it was effective between October 25, 2016 and January 19, 2017.
So what to be done? While you’re not liable for any fraudulent charges that may hit your credit or debit cards, you’ll still need to be vigilant about reporting these transactions. That means that you’ll have to keep close watch on your statements. We’ll update you with any additional information as it becomes available.
