Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security Businesses Communications Crime Network Networking Software Technology

Arby's Probes Possible Data Breach Affecting 355,000 Credit Cards (krebsonsecurity.com) 49

Brian Krebs is reporting that Arby's "recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide." The breach is said to only affect some corporate stores and not franchised restaurant locations. While there is no exact number of those affected, it's possible that more than 355,000 credit and debit cards issued by PCSU members banks may have been compromised. Krebs On Security reports: The first clues about a possible breach at the sandwich chain came in a non-public alert issued by PSCU, a service organization that serves more than 800 credit unions. The alert sent to PSCU member banks advised that PSCU had just received very long lists of compromised card numbers from both Visa and MasterCard. The alerts stated that a breach at an unnamed retailer compromised more than 355,000 credit and debit cards issued by PCSU member banks. Arby's declined to say how long the malware was thought to have stolen credit and debit card data from infected corporate payment systems. But the PSCU notice said the breach is estimated to have occurred between Oct. 25, 2016 and January 19, 2017. Such a large alert from the card associations is generally a sign of a sizable nationwide breach, as this is likely just the first of many alerts Visa and MasterCard will send to card-issuing banks regarding accounts that were compromised in the intrusion. If history is any lesson, some financial institutions will respond by re-issuing thousands of customer cards, while other (likely larger) institutions will focus on managing fraud losses on the compromised cards.
This discussion has been archived. No new comments can be posted.

Arby's Probes Possible Data Breach Affecting 355,000 Credit Cards

Comments Filter:
  • Should have used bitcoin.

  • Last night on the news there was also a story about some Arby's being picketed because they hadn't paid their employees. Are these guys asleep at the switch or something?

    • Re: (Score:3, Informative)

      It probably depends on if the restaurant is a franchise or not. There is a Popeye's close by that is absolutely terrible and has had constant negative reviews for years. You'd think corporate would want to improve things? Nope. Same deal for Steak N Shake. Worst service I've ever had in restaurant and constant complaints. Drive 30 minutes away and the next one is the complete opposite

  • the simpson's said it best: https://www.youtube.com/watch?... [youtube.com]
  • ARBY'S (Score:5, Insightful)

    by the_skywise ( 189793 ) on Thursday February 09, 2017 @06:11PM (#53835615)

    WE HAVE THE MALWARE!

    Can we at least see a list of stores that were affected so I'd know if I need to take action?
    Is that too much to ask?!

    • by plover ( 150551 )

      A breach that impacted 355,000 member cards is huge, indicating it was deployed to a large percentage of their chain, if not the whole chain. Since their breach "ended" on January 19 and it still took them 3 weeks to produce the list of affected cards, that tells me that Arby's response time is pretty damn poor, and that they may not be very good at tracking what's going on. Some senior VP said that "not all [of their 1000] corporate restaurants [out of 4000] were affected", but with news this bad combine

  • by tempest69 ( 572798 ) on Thursday February 09, 2017 @06:13PM (#53835627) Journal
    Yes, CC and banks are dragging their heels. But the whole system is just bad. First, why does Arby's have Normal CC information?? Once it passes, the deal is done. I get having corporate accounts on file, but this is silly. Second, the damn machines shouldn't be giving Arbys any information, other than transaction time/amount/ and some transaction code(needed for refunding cash). Third, The cards should be sophisticated enough to handle a secure chip/pin system (not the sad version of today, but one that is legit)
    • gotta transmit the account number sometime. This could be along the lines of the target hack... when it was in the register.
      • Comment removed based on user account deletion
        • Knowledgeable hacker takes job at Arby's running a register or slicing meat. Hacker waits until he can get unsupervised physical access to store system (a Windows PC, presumably). Hacker arranges off-site access to system. Hacker quits job, accesses system remotely and has his way with them.

          That is an interesting scenario but I am betting it will be another case of the attackers compromising a third party vendor and then working their way into the system like the Target breach, the Wendy's breach, etc. A business can have the most robust security system in the world, but if their business partners are lax it is all for nothing.

    • by Luthair ( 847766 )
      To me the real question is why point of sale systems have any ability to communicate to anything but the payment processor? This, much like the Home Depot breach only occur because of incompetence.
  • by Anonymous Coward

    Not completely unrelated, but... Arby's charged me $87.80 for an $8.78. I noticed the incorrect charge a few days too late to dispute with my credit card company. I called the local store to find out THEY MANUALLY ENTER THE TOTALS in their credit card machines. Probably fat fingered the total. It's also common practice these days to withhold receipts (hence why I didn't notice right away). The GM and DM both acknowledge the problem, but 3 weeks after my first call I have yet to see a dime.

    It's crazy these d

  • But (Score:4, Insightful)

    by Dunbal ( 464142 ) * on Thursday February 09, 2017 @07:14PM (#53835951)
    Since there are absolutely no legal consequences, this kind of stuff is just going to keep happening.
  • It's probably the same 8 people who made all those transactions. Surprised that they even had that many sales! ;)

  • I was under the impression that anyone that eats at Arbys probably doesn't own a computer or knows how to operate one, so why would any of us care about this?
  • Chip-based cards will solve this kind of problem... the chip only surrenders enough data to process one transaction, so repeated transactions without the card present is impossible... would be nice if they rolled this out to the Internet too.

Real programmers don't bring brown-bag lunches. If the vending machine doesn't sell it, they don't eat it. Vending machines don't sell quiche.

Working...