Yet another merchant data breach was revealed Thursday when
According to the Krebs report, Atlanta-based Arby’s said the company was first notified by industry partners in mid-January about a breach at some stores, but noted it did not go public about the incident at the request of the FBI. Arby’s told Krebs it recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurants nationwide.
The Krebs report credited PSCU, a service organization that serves more than 800 credit unions, with first noticing the breach. It said PSCU sent an alert to PSCU member CUs, advising them that PSCU had received very long lists of compromised card numbers from both Visa and MasterCard. The alerts stated that a breach at an unnamed retailer compromised more than 355,000 credit and debit cards issued by PCSU members.
“PSCU believes the alerts are associated with a large fast food restaurant chain, yet to be announced to the public,” said the alert, which was sent only to PSCU member CUs.
Arby’s declined to say how long the malware was thought to have stolen credit and debit card data from infected corporate payment systems. But the PSCU notice said the breach is estimated to have occurred between Oct. 25, 2016 and Jan. 19, 2017.
Breaches up in 2016
The ITRC report went on to point out that data breaches at merchants indirectly affect financial institutions when merchants’ point-of-sale terminals are compromised, leading to losses.
The two major credit union trade associations – which have long advocated for national standards for cybersecurity – were quick to pounce on the news of the Arby's breach as evidence of the need for legislation.
Dan Berger, president and CEO of the National Association of Federally-Insured Credit Unions, on Thursday said in a statement, “The continuing saga of retail data breaches have become a national nightmare. Cybercriminals are on a binge to capture American consumers’ valuable personal and financial data at every opportunity. The lack of a national standard of protection for merchants makes it easier for them. Last year, the number of data breaches shattered all records and climbed 40% higher than reported in 2015. And there is no sign of the criminals letting up. In 2017, we have already hit 110 breaches, a 36% hike over the same time last year. This breach is another example of why Congress must act to implement national data security standards for retailers now.”
Ryan Donovan, chief advocacy officer for the Credit Union National Association, told Credit Union Journal the Arby’s breach is, “Just another example of the consequence of Congress’ failure to enact strong data security standards on merchants that accept payment cards.”
