Arby’s Restaurant Group, Inc. provided further information regarding the previously disclosed payment card security incident involving certain U.S. restaurants.
Upon learning of the incident, ARG immediately notified law enforcement and a thorough investigation was commenced. ARG learned of, and quickly took measures to contain and eradicate, malware that was present on the point-of-sale (POS) systems of certain restaurants. ARG believes that, by means of the malware, the intruder may have been able to access data from payment cards used during time frames that vary by restaurant but in each case begin no earlier than October 20, 2016 and end no later than January 12.
A list of restaurants apparently affected and specific timeframes, along with steps guests can take, can be found at www.arbys.com/security. Only company-owned restaurants were impacted. In some instances, the malware appears to have identified data from the card’s magnetic stripe that included the cardholder name and number and in other instances the card data identified by the malware did not appear to include the cardholder name. It is possible that not every card was identified.
ARG has been working closely with the payment card companies regarding this matter. Payment card network rules generally state that cardholders are not responsible for fraudulent charges that are timely reported. Accordingly, ARG guests, like any cardholder, should promptly report unauthorized charges to the bank that issued their card.