There are more than 3,300 Arby's locations, and a majority of them are franchises, according to the company. Its parent company, Arby's Restaurant Group Inc., owns more than 1,000 of the restaurants.
"Not all of the corporate restaurants were affected," Christopher Fuller, Arby's senior vice president of communications, told Krebs. "But this is the most important point: that we have fully contained and eradicated the malware that was on our point-of-sale systems."
It was not immediately clear how long the malware was stealing card information. However, an alert from PCSU, an organization serves more than 800 credit unions, noted a data breach linked to an unnamed "large fast-food restaurant chain" that affected more than 355,000 credit and debit cards issued by PCSU member banks, Krebs reported.
The alert, which was sent to member banks, said the breach appeared to have lasted from Oct. 25, 2016, to Jan. 19, 2017.
Wendy's suffered a similarly large data breach last year that affected 1,025 restaurants.
In a statement, National Association of Federally-Insured Credit Unions president and CEO Dan Berger warned that data breaches like the ones that affected Arby's and Wendy's are likely to increase.
He urged legislators to create national data security standards for retailers.
"The continuing saga of retail data breaches have become a national nightmare," he said. "This breach is another example of why Congress must act to implement national data security standards for retailers now."