Hackers grab up to 355,000 credit card numbers from Arby’s customers

Thieves breached payment systems at hundreds of Arby’s restaurants and grabbed account numbers from up to 355,000 credit and debit cards, according to a published report.

KrebsonSecurity, a blog on online commercial security issues, said Thursday that the Atlanta fast food chain acknowledged that it had recently discovered and shut down the security breach.

According to the online site, the thieves installed malicious software on the payment card systems at hundreds of Arby’s corporate-owned restaurants. The privately-held company owns about a third of its 3,300 restaurants, while franchise owners operate the rest.

The franchise restaurants were not affected, Arby’s told the blog.

Arby’s could not immediately be reached for comment.

Arby's is perhaps best known for its roast beef sandwiches and advertising motto, "We have the meats." The 64-year-old chain, headquartered in Sandy Springs, is owned by Roark Capital Group, an Atlanta private equity firm.

According to KrebsonSecurity, a company spokesman said the breach was discovered in mid-January, but the company didn't disclose the theft at the request of the FBI.

“Although there are over 1,000 corporate Arby’s restaurants, not all of the corporate restaurants were affected,” Christopher Fuller, Arby’s senior vice president of communications, told KrebsonSecurity. “But this is the most important point: That we have fully contained and eradicated the malware that was on our point-of-sale systems.”

Merchants, banks and other credit card issuers have spent billions of dollars over the last few years switching to so-called "chip" cards and readers to battle such thefts. The cards hold a small computer chip that creates a unique code for each transaction that makes it much harder for scammers to capture customers' credit card numbers.

But fast-food restaurants, service stations and other quick-service merchants have been slow to adopt the new chip card readers because they are slower than traditional cards and payment terminals, making them a magnet for hackers.

KrebsonSecurity said it first heard about the Arby’s breach from several banks and credit unions. The blog said that PSCU, a central credit union cooperative in St. Petersburg, Fla., that serves about 800 credit unions, sent out the first alert about the breach.

In a private alert to members, PSCU said a breach at an unnamed retailer had compromised more than 355,000 credit and debit cards issued by member institutions, according to KrebsonSecurity. The breach appeared to have occurred between Oct. 25, 2016 and Jan. 19, according to the notice.

From the number of cards affected, it is likely the breach was nationwide, the blog said.