Arby's fast food chain falls victim to security breach

Shawn Knight

Shawn Knight

Posts: 15,627   +198
Staff member

Arby’s, the fast food chain that proudly proclaims it has the meats, apparently also has something else – lax security.

Krebs on Security reported Thursday that sources at nearly half a dozen banks and credit unions reached out over the past 48 to inquire if they’d heard anything about a data breach involving the fast food chain. When probed on the matter, the restaurant confirmed the breach with the publication.

A spokesperson for Arby’s told Krebs that they first learned of an issue involving its payment card system in mid-January. The company immediately notified law enforcement and enlisted the help of leading security experts including Mandiant.

Malware was discovered on payment systems inside some of Arby’s corporate stores; franchised locations were not impacted. Arby’s said it had not gone public about the issue as per the FBI’s request.

Krebs notes that roughly a third of the 3,300 Arby’s locations in the US are corporate-owned.

The first rumblings, Krebs said, of a breach came as part of a non-public alert issued by PSCU, a service organization that serves more than 800 credit unions. Said alert mentioned a breach at an unnamed retailer that compromised more than 355,000 credit and debit cards issued by PCSU member banks.

Arby’s, meanwhile, declined to say how long the malware had been installed although the aforementioned report estimates the breach may have occurred between October 25, 2016, and January 19, 2017.

Photo by Rebecca Sapp, Getty Images

Permalink to story.

https://www.techspot.com/news/68112-arby-fast-food-chain-falls-victim-security-breach.html

 
At this point there are no excuses. It's not as if these huge corporations don't know that this kind of thing is possible. The reason there are breaches is because security costs money, and more accurately these stores are not willing to pay to upgrade their payment environments. At what point do we stop feeling sorry for these companies and start fining them up the wazoo? It's not the consumer's fault that their credit card numbers were stolen.
 
seefizzle said:
At this point there are no excuses. It's not as if these huge corporations don't know that this kind of thing is possible. The reason there are breaches is because security costs money, and more accurately these stores are not willing to pay to upgrade their payment environments. At what point do we stop feeling sorry for these companies and start fining them up the wazoo? It's not the consumer's fault that their credit card numbers were stolen.
Click to expand...
No time in the next 4 years, thats for sure. or 4 years after that, ece.

Neither side seems interested in setting more stringent regulations and punishments for this kind of thing. And without that, fines will continue to be minor pittances. And as long as the fines are not enough to make upgrading security cheaper then paying fines, there will not be any upgraded security.
 
Theinsanegamer said:
seefizzle said:
At this point there are no excuses. It's not as if these huge corporations don't know that this kind of thing is possible. The reason there are breaches is because security costs money, and more accurately these stores are not willing to pay to upgrade their payment environments. At what point do we stop feeling sorry for these companies and start fining them up the wazoo? It's not the consumer's fault that their credit card numbers were stolen.
Click to expand...
No time in the next 4 years, thats for sure. or 4 years after that, ece.

Neither side seems interested in setting more stringent regulations and punishments for this kind of thing. And without that, fines will continue to be minor pittances. And as long as the fines are not enough to make upgrading security cheaper then paying fines, there will not be any upgraded security.
Click to expand...

Interesting analytical viewpoint with bonus comment alluding to presumably issue blind pro-business present administration.

I'm kind of curious about what steps the previous administration took to 'fine' and deter the previous three different times the storyline stated: "...largest data breach in the history of the internet...".

Maybe I missed the headlines in lesser breaches. Was Ashley Madison fined? Yahoo? OPM? maybe someone was fired at Obama's insistence?

Bring the facts, not your personal agenda.
 
The problem is that companies IT departments scream for a budget to get proper hardware and security. Companies try to cut expenses, but they cut it at security. Then this happens.
 
I agree with the sentiment. Reading the original article indicates this was a POS system. POS is the 'hanging meat in bear country' point of attack. If you read the Krebs article, you will see that Wendy's found a similar breach earlier last year but several months later admitted that some of it's franchisees were still not secured, the public not notified, and customers were handing them their credit cards. Wendy's stating 'cash only' at certain restaurants (as McDonalds did in our neighborhood) would have affected sales only temporarily for local restaurants so, no excuses.

I have no idea where the data breach occurred; local, transmission, batch processing, or at corporate headquarters (it was stated corporate restaurants but that could tip of the iceberg), nor even if it was contractor physical access or employee misbehavior or a network printer compromise. Without that information, IT additional funding may not be a factor. There is a law of vastly diminishing returns. I think the problem would be set the return rate.

A solution that lets the government get involved and add incentive for IT security but doesn't overwhelm is: The corporation pays all bank fees and credit rebuilding costs/problems for all consumers affected from the date of discovery and a 50% fine of all the costs per customer to the customer. Any discoverer notifying the corporation about the problem gets a percentage of damage reward GUARANTEED BY THE GOVERNMENT (so the government lawyers are the ones asking to be paid and not the researcher) from 5 days (that's 24hour days not business days) to as long as the corporation doesn't stop the data bleed, and the government gets and equal amount for the public coffer so the government doesn't have an incentive to simply turn away.
 
Mcdonald today was unable to print paper receipts. The threat, tho, is they will replace many of their workers with the kiosk system, laying some off, when the present system is defunct.
 
You must log in or register to reply here.

Similar threads

Cal Jeffrey
Nintendo Switch 2 is official with 7.9" 120fps VRR display, 4K at 60fps when docked
2
Replies
30
Views
513
Northy
Northy
A
Revolutionary Bose auto suspension tech to hit the market after 20 years
2
Replies
33
Views
307
Loadedaxe
Loadedaxe
Daniel Sims
Factory video shows Unitree robot going berserk, nearly injuring workers
2
Replies
28
Views
283
Atmajaya2020
Atmajaya2020

Latest posts

Back