Newsroom

Credit unions should be aware of a recently disclosed data breach at Arby's fast-food restaurants affecting its corporate stores, which number more than 1,000 in the U.S.

Arby's told KrebsOnSecurity, who reported the breach today, that the point-of-sale malware did not affect all corporate locations and has since been removed.

"The continuing saga of retail data breaches has become a national nightmare. Cybercriminals are on a binge to capture American consumers' valuable personal and financial data at every opportunity," said NAFCU President and CEO Dan Berger. "The lack of a national standard of protection for merchants makes it easier for them."

Brian Krebs, author of KrebsOnSecurity, said he was alerted to the breach by bank and credit union representatives reaching out to him to ask if he knew about a data breach at the eatery. Arby's confirmed the breach.

The Krebs post references a non-public alert issued by PSCU to its members that a breach at an unnamed retailer compromised more than 355,000 credit and debit cards. The breach, it says, is estimated to have occurred between Oct. 25, 2016, and Jan. 19. Arby's has not confirmed the length of time the malware was capturing credit and debit card data.

Speaking with Krebs about the report, Berger said the number of cards that PSCU told member banks were likely exposed in this breach is roughly in line with the numbers released not long after news of the Wendy's breach broke.

NAFCU continues to push for Congress to pass a strong national data security standard for retailers that would hold them to the same standards credit unions already follow under the Gramm-Leach-Bliley Act. Credit union representatives can reach out to their members of Congress and urge them to support such a measure through NAFCU's Grassroots Action Center.