The Arby’s Restaurants breach, announced today by security journalist Brian Krebs on the Krebs On Security blog, wasn’t huge in comparison to some of the massive card breaches like at Target and Home Depot in previous years, but the way it may have happened could be indicative of a larger issue.
In comparison to other credit card breaches where the number of stolen cards was in the millions, the breach at Arby’s seems to have vacuumed up a much smaller number – as of this writing a confirmed 355,000 cards, with the full impact as of yet unknown.
What’s interesting to note here is the fact that the breach was strictly limited to corporately owned stores, and no franchised locations were hit. This implies that the breach happened through a central location, likely corporate HQ, and worked its way out to a number of non-franchised stores.
Like many malware attacks, these infections can persist inside networks for weeks and months before someone finds an issue – and in many cases, it can be the anti-fraud technologies of the card issuers themselves that are able to trace the breach to a specific source.
Action for businesses
Companies who end up finding themselves in similar positions will need to put all hands on deck to ensure all traces of the malware, as well as any vectors of infiltration by the attackers, are fully eradicated.
It’s a given that Arby’s will need to do a complete forensic analysis of their infrastructure to ensure the attackers haven’t left a backdoor into the infrastructure… or they’ll end up like Wendy’s did last year and become re-infected.
Action for consumers
Consumers should take the time to think about their past few months of fast-food consumption: If you dined at an Arby’s, take a few moments to review bank statements for unauthorized charges, and request a new card from your card issuer. Remember, as a consumer, you are not liable for unauthorized charges if you act in a reasonable amount of time.