Arby's Data Breach Exposes 335k Cards Posted by Association of Vermont Credit Unions on 12:17 PM

The Arby’s restaurant chain, based in Atlanta, experienced a data breach involving a number of its corporate-owned locations. The breach occurred between 10/25/16 and 01/19/17.  According to reports, the breach involved malware placed on payment systems only at corporate locations, which are approximately one-third of the company’s more than 3,330 locations. An Arby’s official says not all of the corporate locations were affected, but more than 355,000 card numbers may have been exposed. Arby's first learned of this incident in mid-January but waited to alert the public by FBI request.

In response, Fort Wayne, Indiana-based Midwest America FCU hit Arby's Restaurant Group with a proposed class action alleging that the company failed to beef up its cyber security, allowing the data breach negatively impacting thousands of issuers of credit and debit cards nationwide. The lawsuit seeks damages for the costs of investigating and refunding fraudulent charges and replacing cards affected by the breach.

A similar data breach hit fast-food chain Wendy’s in 2016, which Krebs also first reported last January. Wendy’s then said in June that the data breach was bigger than it first thought and that it could have impacted more than the 300 stores.

CUNA and the Association of Vermont Credit Unions support strong data breach legislation that includes a strong, scalable security standard for merchants, as well as a notification standard in the event of a breach. Credit unions that have questions can email databreachlawsuit@cuna.coop to communicate with outside counsel who are working with CUNA to address merchant data breaches.