Hundreds of Arby’s restaurants breached

Arby’s and its customers have become the latest victims of point-of-sale (POS) malware attacks. Cyber criminals took control of the cash registers at Arby’s locations across the country and gained access to the details of hundreds of thousands of payment transactions.

Around 335,000 cards were compromised, according to an estimate provided by a credit card union organization.

The breach, caused by POS malware, works by installing the malware onto the target’s system via hacked remote administration tools or ‘spear-phishing’ attacks, which target company employees. Once the malware is in the POS device, attackers can capture data from each card swiped on that machine.

The fast-food chain discovered the data breach in mid-January, according to cybersecurity reporter Brian Krebs, and it identified the hack as being the result of malware placed on payment systems inside Arby’s corporate stores at some time between October 25 and January 19.

Who is affected?

If you were one of the estimated 335,000 people who ate at certain Arby’s restaurants across the country between October 25 and January 19 – and paid by debit or credit card – you may well have had your information compromised.

As for which of those ‘certain’ Arby’s restaurants that were exploited by this, it is not yet clear. The breach affected only some of Arby’s corporate locations – which make up around one third of the 3,342 locations – while their franchise restaurants, operated by third parties, were unaffected.

Arby’s has not disclosed which corporate stores, or indeed how many, were breached.

As Brian Krebs notes, the distinction between types of restaurants is likely to be lost on Arby’s customers. Who knows whether their local fast-food chain is corporate- or franchise-owned? While potential victims wait for confirmation, they are advised to check their bank statements to look for suspicious activity.

On the plus side, customers needn’t fear returning to Arby’s any time soon. Christian Fuller, Arby’s senior vice president of communications, says the fast-food chain has “fully contained and eradicated the malware that was on our point-of-sale system.”

With this, Arby’s become the latest high-profile victims of point-of-sale malware. Last year’s breach of fellow fast-food chain Wendy’s was similar in approach, and it follows intrusions at Staples and Home Depot in the past few years.

How can you prevent POS breaches?

Geraint Williams, the head of technical services at IT Governance, said “many organizations perform little or no regular testing on the adequacy of the security controls governing their internal infrastructure and website applications. Failure to periodically run internal and external network scans to identify vulnerabilities, poor configuration and coding issues leaves weaknesses and entry points open to attackers. Organizations may think they are protected but, as new vulnerabilities are announced daily, regular testing is vital. Internal and external scanning, though helpful, may not necessarily offer what a real, attack-like penetration testing program, which should include activities like intercepting credentials, cracking weak password hashes and chaining exploits together to compromise the in-scope targets.”

Any company that stores, transmits, or processes cardholder data must comply with the PCI DSS. Not only does compliance with the PCI DSS help to mitigate the risk of losing sensitive information, it also helps prevent POS malware from attacking systems.

Looking to implement PCI DSS compliance? Get more information and guidance from practicing experts on the PCI DSS. Find out more >>

Looking for pre-written, PCI-compliant documentation? IT Governance’s PCI DSS Documentation Toolkit contains easy-to-use, fully customizable templates that help produce PCI-compliant documentation. Find out more >>

Need to test your systems for vulnerabilities? Penetration testing can help to identify, fix, and prevent vulnerabilities within your systems with CREST-accredited testing services. Find out more >>

One Response

  1. andysimon February 7, 2018