Fast food company Arby’s became the latest announced victim of a major data breach which appears to have occurred between October 25, 2016 and January 19, 2017, but was only disclosed by the company yesterday.  The data breach which affected hundreds of the company owned stores, but not those of franchise owners may have resulted in more than 335,000 credit and debit cards being compromised.

As is often the case, the data breach was originally discovered by a bank which first found a pattern of fraudulent credit card use and was able to trace the source back to Arby’s restaurants.  In this case PSCU, a credit union service group for more than 800 credit unions uncovered the fraud.

At the present time it has not been determined how the point of sale credit and debit card processing equipment was compromised with the malware that was downloaded to the equipment to steal the credit and debit card information.  Often the problem can be traced back to spear phishing.


This type of data breach continues to occur as many retail stores and restaurants still have not replaced their magnetic strip credit and debit card processing equipment with EMV chip card processing equipment. Whenever possible you should use your EMV chip card and never use your debit card for a retail purchase because the consumer protection laws regarding debit card fraud are not as strong as the laws protecting consumers from credit card fraud.

Anyone who has used their credit card at an Arby’s restaurant between October 25, 2016 and January 19, 2017 should carefully monitor their credit card statements for evidence of fraudulent use and if you find it, you should report it immediately to your credit card company.  If you used a debit card at an Arby’s restaurant during that time period, you should monitor the bank account attached to the card particularly carefully and refrain from using your debit card for retail purchases in the future.