Arby's has issued limited information on the breach.
Arby's has issued limited information on the breach.

The fast food restaurant chain Arby's has suffered a breach involving the payment card systems in up to 1,100 of its locations.

Arby's issued a statement saying its payment card system was compromised at an unspecified time, but that the incident has been contained and the malware eliminated from the systems at the impacted restaurants. However, it gave out no details on the breach concerning the type of attack, number of people affected or exactly how many of its 3,400 stores were involved. The company did offer a bare-bones description of the action it has taken since the incident was discovered.

“Arby's Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems. Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” Arby's said in a statement sent to SC Media.

KrebsonSecurity reports that Arby's withheld informing the public earlier of the attack at the request of the FBI and that the point-of-sale systems attacked were only in the chain's corporately-owned stores. According to the business information website Hoovers, 1,100 of its restaurants are company owned.

Richard Henderson, Absolute's global security strategist, cited KrebsonSecurity, which stated 355,000 cards were involved, a number KrebsonSecurity retrieved from a non-public service notice issued by PSCU. PSCU is a credit union service organization that sent the notice to its member credit unions.

"​In comparison to other credit card breaches where the number of stolen cards numbered in the millions, the breach at Arby's seems to have vacuumed up a much smaller number - about 300,000 cards,” he told SC Media.

As of the time this article was posted Arby's declined to comment whether or not it had notified the customers impacted by the breach, but said in the statement its customers should look for unauthorized activity on their payment cards.