The fast food chain Arby’s recently began investigating a credit card breach affecting hundreds of its locations across the United States, Krebs on Security‘s Brian Krebs reports.
The company told Krebs that it was told in mid-January that malware had been installed on its payment card systems, but that it had been asked by the FBI not to notify customers of the incident.
Arby’s is working with third-party security firms including Mandiant to investigate the breach.
All affected locations are corporate-owned, not franchises. “Although there are over 1,000 corporate Arby’s restaurants, not all of the corporate restaurants were affected,” company senior vice president of communications Christopher Fuller told Krebs.
“But this is the most important point: that we have fully contained and eradicated the malware that was on our point-of-sale systems,” Fuller added.
The first indication of a breach came from a credit union service organization alert stating that a breach at a fast food chain, dating as far back as October 2016, had compromised more than 335,000 credit and debit cards.
Gemalto CTO of data protection Jason Hart told eSecurity Planet by email that the Arby’s breach appears to be similar to breaches at Cici’s Pizza and at Wendy’s last year, when attacker got in through a third-party payment processor by tricking an employee into downloading a malicious file.
“This type of attack is likely to continue until organizations that accept credit card payments fully deploy end-to-end encryption to protect payment information as soon as it is captured into the system, until the time it reaches the payment gateway,” Hart said. “Companies and their IT staff must accept the fact that breaches are inevitable, but that does not mean there is nothing they can do — it’s about securing the breach.”
“When they adopt a data-centric view of threats starting with better identity and access control techniques such as multi-factor authentication and the use of encryption and key management to secure sensitive data, they essentially help reduce the value of the data, making it useless to fraudsters,” Hart added.
Richard Henderson, Global Security Strategist at Absolute, noted by email that these types of malware infections can persist inside networks for weeks and months before they’re detected. “Companies in similar positions will need to put all hands on deck to ensure all traces of the malware, as well as any vectors of infiltration by the attackers, are fully eradicated,” he said.
“A complete forensic analysis of their infrastructure is a given to ensure the attackers haven’t left a backdoor into the infrastructure or they’ll end up like Wendy’s did last year and become reinfected,” Henderson added.