NEW YORK — Customers’ credit and debit card information was stolen after a malware was placed on payment systems at hundreds of Arby’s restaurants in the U.S.
It’s unclear which stores and how many customers were affected, but the fast food restaurant acknowledged Thursday that there was a data breach, KrebsOnSecurity reported.
“We have fully contained and eradicated the malware that was on our point-of-sale systems,”Christopher Fuller, Arby’s senior vice president of communications, told KrebsOnSecurity.
Arby’s was first notified mid-January of the data breach, but was advised by the FBI to not inform the public at the time of the investigation.
PSCU, an organization that handles 800 credit unions, was the first to report the breach at the fast food chain. The company received an alert that more than 355,000 credit and debit cards from Visa and Mastercard were compromised sometime between Oct. 25, 2016 and Jan. 19, 2017.
The breach was caused by a malware that was installed on payment systems at certain Arby’s restaurants. It was only found on restaurants that were corporate-owned, not ones by franchisees, according to KrebsOnSecurity.
There are more than 3,300 locations, and one-third of them are corporate-owned.
“Although there are over 1,000 corporate Arby’s restaurants, not all of the corporate restaurants were affected,” Fuller said.
There is one Arby’s in New York City, 73 others in New York state, and 18 in New Jersey.
It’s unclear when Arby’s will release the list of restaurants that were affected.