info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Fast Food Chain Arby's Acknowledges Being Raped By Credit Card Thieves
0 views
Skip to first unread message
Buggered
Feb 16, 2017, 4:00:05 AM2/16/17
to
Sources at nearly a half-dozen banks and credit unions
independently reached out over the past 48 hours to inquire if
I’d heard anything about a data breach at Arby’s fast-food
restaurants. Asked about the rumors, Arby’s told KrebsOnSecurity
that it recently remediated a breach involving malicious
software installed on payment card systems at hundreds of its
restaurant locations nationwide.
A spokesperson for Atlanta, Ga.-based Arby’s said the company
was first notified by industry partners in mid-January about a
breach at some stores, but that it had not gone public about the
incident at the request of the FBI.
“Arby’s Restaurant Group, Inc. (ARG) was recently provided with
information that prompted it to launch an investigation of its
payment card systems,” the company said in a written statement
provided to KrebsOnSecurity.
“Upon learning of the incident, ARG immediately notified law
enforcement and enlisted the expertise of leading security
experts, including Mandiant,” their statement continued. “While
the investigation is ongoing, ARG quickly took measures to
contain this incident and eradicate the malware from systems at
restaurants that were impacted.”
Arby’s said the breach involved malware placed on payment
systems inside Arby’s corporate stores, and that Arby’s
franchised restaurant locations were not impacted.
Arby’s has more than 3,330 stores in the United States, and
roughly one-third of those are corporate-owned. The remaining
stores are franchises. However, this distinction is likely to be
lost on Arby’s customers until the company releases more
information about individual restaurant locations affected by
the breach.
“Although there are over 1,000 corporate Arby’s restaurants, not
all of the corporate restaurants were affected,” said
Christopher Fuller, Arby’s senior vice president of
communications. “But this is the most important point: That we
have fully contained and eradicated the malware that was on our
point-of-sale systems.”
The first clues about a possible breach at the sandwich chain
came in a non-public alert issued by PSCU, a service
organization that serves more than 800 credit unions.
The alert sent to PSCU member banks advised that PSCU had just
received very long lists of compromised card numbers from both
Visa and MasterCard. The alerts stated that a breach at an
unnamed retailer compromised more than 355,000 credit and debit
cards issued by PCSU member banks.
“PSCU believes the alerts are associated with a large fast food
restaurant chain, yet to be announced to the public,” reads the
alert, which was sent only to PSCU member banks.
Arby’s declined to say how long the malware was thought to have
stolen credit and debit card data from infected corporate
payment systems. But the PSCU notice said the breach is
estimated to have occurred between Oct. 25, 2016 and January 19,
2017.
Such a large alert from the card associations is generally a
sign of a sizable nationwide breach, as this is likely just the
first of many alerts Visa and MasterCard will send to card-
issuing banks regarding accounts that were compromised in the
intrusion. If history is any lesson, some financial institutions
will respond by re-issuing thousands of customer cards, while
other (likely larger) institutions will focus on managing fraud
losses on the compromised cards.
The breach at Arby’s comes as many credit unions and smaller
banks are still feeling the financial pain from fraud related to
a similar breach at the fast food chain Wendy’s. KrebsOnSecurity
broke the news of that breach in January 2016, but the company
didn’t announce it had fully removed the malware from its
systems until May 2016. But two months after that the company
was forced to admit that many Wendy’s locations were still
compromised.
B. Dan Berger, president and CEO of the National Association of
Federal Credit Unions, said the number of cards that PSCU told
member banks were likely exposed in this breach is roughly in
line with the numbers released not long after news of the
Wendy’s breach broke.
“That’s probably one of the biggest numbers I’ve heard.”
“Hundreds of thousands of cards is a big number, and with the
Wendy’s breach, the alerts we were getting from Visa and
MasterCard were in the six-digit ranges for sure,” Berger said.
“That’s probably one of the biggest numbers I’ve heard.”
Berger said the Wendy’s breach was especially painful because
the company was re-compromised after it scrubbed its payment
systems of malicious software. Many banks and credit unions
ended up re-issuing customer cards several times throughout last
year after loyal Wendy’s customers re-compromised their brand
new cards again and again because they routinely ate at multiple
Wendy’s locations throughout the month.
“We had institutions that stopped approving debit and credit
transactions through Wendy’s when they were still dealing with
that breach,” Berger said. “Our member credit unions were eating
the costs of fraud on compromised cards, and on top of that
having to re-issue the same cards over and over.”
Point-of-sale malware has driven most of the major retail
industry credit card breaches over the past two years, including
intrusions at Target and Home Depot, as well as breaches at a
slew of point-of-sale vendors. The malware sometimes is
installed via hacked remote administration tools like LogMeIn;
in other cases the malware is relayed via “spear-phishing”
attacks that target company employees. Once the attackers have
their malware loaded onto the point-of-sale devices, they can
remotely capture data from each card swiped at that cash
register.
Thieves can then sell that data to crooks who specialize in
encoding the stolen data onto any card with a magnetic stripe,
and using the cards to purchase high-priced electronics and gift
cards from big-box stores like Target and Best Buy.
Readers should remember that they’re not liable for fraudulent
charges on their credit or debit cards, but they still have to
report the unauthorized transactions. There is no substitute for
keeping a close eye on your card statements. Also, consider
using credit cards instead of debit cards; having your checking
account emptied of cash while your bank sorts out the situation
can be a hassle and lead to secondary problems (bounced checks,
for instance).
https://krebsonsecurity.com/2017/02/fast-food-chain-arbys-
acknowledges-breach/
independently reached out over the past 48 hours to inquire if
I’d heard anything about a data breach at Arby’s fast-food
restaurants. Asked about the rumors, Arby’s told KrebsOnSecurity
that it recently remediated a breach involving malicious
software installed on payment card systems at hundreds of its
restaurant locations nationwide.
A spokesperson for Atlanta, Ga.-based Arby’s said the company
was first notified by industry partners in mid-January about a
breach at some stores, but that it had not gone public about the
incident at the request of the FBI.
“Arby’s Restaurant Group, Inc. (ARG) was recently provided with
information that prompted it to launch an investigation of its
payment card systems,” the company said in a written statement
provided to KrebsOnSecurity.
“Upon learning of the incident, ARG immediately notified law
enforcement and enlisted the expertise of leading security
experts, including Mandiant,” their statement continued. “While
the investigation is ongoing, ARG quickly took measures to
contain this incident and eradicate the malware from systems at
restaurants that were impacted.”
Arby’s said the breach involved malware placed on payment
systems inside Arby’s corporate stores, and that Arby’s
franchised restaurant locations were not impacted.
Arby’s has more than 3,330 stores in the United States, and
roughly one-third of those are corporate-owned. The remaining
stores are franchises. However, this distinction is likely to be
lost on Arby’s customers until the company releases more
information about individual restaurant locations affected by
the breach.
“Although there are over 1,000 corporate Arby’s restaurants, not
all of the corporate restaurants were affected,” said
Christopher Fuller, Arby’s senior vice president of
communications. “But this is the most important point: That we
have fully contained and eradicated the malware that was on our
point-of-sale systems.”
The first clues about a possible breach at the sandwich chain
came in a non-public alert issued by PSCU, a service
organization that serves more than 800 credit unions.
The alert sent to PSCU member banks advised that PSCU had just
received very long lists of compromised card numbers from both
Visa and MasterCard. The alerts stated that a breach at an
unnamed retailer compromised more than 355,000 credit and debit
cards issued by PCSU member banks.
“PSCU believes the alerts are associated with a large fast food
restaurant chain, yet to be announced to the public,” reads the
alert, which was sent only to PSCU member banks.
Arby’s declined to say how long the malware was thought to have
stolen credit and debit card data from infected corporate
payment systems. But the PSCU notice said the breach is
estimated to have occurred between Oct. 25, 2016 and January 19,
2017.
Such a large alert from the card associations is generally a
sign of a sizable nationwide breach, as this is likely just the
first of many alerts Visa and MasterCard will send to card-
issuing banks regarding accounts that were compromised in the
intrusion. If history is any lesson, some financial institutions
will respond by re-issuing thousands of customer cards, while
other (likely larger) institutions will focus on managing fraud
losses on the compromised cards.
The breach at Arby’s comes as many credit unions and smaller
banks are still feeling the financial pain from fraud related to
a similar breach at the fast food chain Wendy’s. KrebsOnSecurity
broke the news of that breach in January 2016, but the company
didn’t announce it had fully removed the malware from its
systems until May 2016. But two months after that the company
was forced to admit that many Wendy’s locations were still
compromised.
B. Dan Berger, president and CEO of the National Association of
Federal Credit Unions, said the number of cards that PSCU told
member banks were likely exposed in this breach is roughly in
line with the numbers released not long after news of the
Wendy’s breach broke.
“That’s probably one of the biggest numbers I’ve heard.”
“Hundreds of thousands of cards is a big number, and with the
Wendy’s breach, the alerts we were getting from Visa and
MasterCard were in the six-digit ranges for sure,” Berger said.
“That’s probably one of the biggest numbers I’ve heard.”
Berger said the Wendy’s breach was especially painful because
the company was re-compromised after it scrubbed its payment
systems of malicious software. Many banks and credit unions
ended up re-issuing customer cards several times throughout last
year after loyal Wendy’s customers re-compromised their brand
new cards again and again because they routinely ate at multiple
Wendy’s locations throughout the month.
“We had institutions that stopped approving debit and credit
transactions through Wendy’s when they were still dealing with
that breach,” Berger said. “Our member credit unions were eating
the costs of fraud on compromised cards, and on top of that
having to re-issue the same cards over and over.”
Point-of-sale malware has driven most of the major retail
industry credit card breaches over the past two years, including
intrusions at Target and Home Depot, as well as breaches at a
slew of point-of-sale vendors. The malware sometimes is
installed via hacked remote administration tools like LogMeIn;
in other cases the malware is relayed via “spear-phishing”
attacks that target company employees. Once the attackers have
their malware loaded onto the point-of-sale devices, they can
remotely capture data from each card swiped at that cash
register.
Thieves can then sell that data to crooks who specialize in
encoding the stolen data onto any card with a magnetic stripe,
and using the cards to purchase high-priced electronics and gift
cards from big-box stores like Target and Best Buy.
Readers should remember that they’re not liable for fraudulent
charges on their credit or debit cards, but they still have to
report the unauthorized transactions. There is no substitute for
keeping a close eye on your card statements. Also, consider
using credit cards instead of debit cards; having your checking
account emptied of cash while your bank sorts out the situation
can be a hassle and lead to secondary problems (bounced checks,
for instance).
https://krebsonsecurity.com/2017/02/fast-food-chain-arbys-
acknowledges-breach/
0 new messages