Cyber Incident Victim: Arby's
Date:
Oct 2016
Location:
United States of America
Summary
A fast food chain experienced a breach involving malware installed on payment systems at hundreds of its corporate-owned locations, though franchised stores were unaffected. The incident, discovered after notification by industry partners, prompted collaboration with law enforcement and security experts to contain and eradicate the malicious software. Payment card data was compromised, with estimates indicating hundreds of thousands of cards stolen, comparable in scale to a prior breach at another restaurant chain. The malware operated undetected for an extended period, leading to fraudulent transactions, though the company confirmed remediation of affected point-of-sale systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-January 2017, Arby’s Restaurant Group was alerted by industry partners to a potential breach involving its payment card systems, prompting an internal investigation. The company confirmed that malware had been installed on point-of-sale systems at corporate-owned Arby’s locations, though franchised restaurants were unaffected. Arby’s engaged cybersecurity firm Mandiant and notified law enforcement, including the FBI, which requested delayed public disclosure during the initial response phase. The malware was fully eradicated from compromised systems by the time Arby’s acknowledged the breach publicly on February 9, 2017. A non-public alert from credit union service organization PSCU had earlier identified the breach timeframe as October 25, 2016, to January 19, 2017, estimating over 355,000 compromised payment cards. Arby’s declined to specify the exact duration of malware activity or the number of affected locations but confirmed the breach impacted hundreds of its approximately 1,100 corporate-owned stores out of 3,330 total U.S. locations.
The breach exposed payment card data through point-of-sale malware, a method consistent with prior retail breaches at companies like Target and Wendy’s. Financial institutions, particularly credit unions represented by the National Association of Federal Credit Unions, reported fraud losses comparable to the Wendy’s breach, which had involved hundreds of thousands of cards. Arby’s emphasized containment of the malware but did not initially release details about specific compromised locations, creating potential confusion for customers given the mix of corporate and franchise operations. The company’s remediation efforts included working with forensic investigators and law enforcement, though no further technical specifics about the malware or attacker entry methods were disclosed. Financial industry analysts noted the breach’s timing exacerbated existing strain on smaller institutions still managing fallout from the prolonged Wendy’s breach, which had required multiple containment phases in 2016.