[BreachExchange] Lawsuits: Hackers stole customer data at 1, 000 Arby's stores

Tue Mar 28 18:57:17 EDT 2017

http://abcnews.go.com/US/wireStory/lawsuit-hackers-stole-customer-data-1000-
arbys-stores-46406744

Georgia-based Arby's restaurant chain failed to prevent hackers from
stealing customer information at hundreds of its stores, a Connecticut
couple said in a new federal lawsuit.

Since early February, eight credit unions and banks from Indiana, Alabama,
Arkansas, Louisiana, Michigan, Pennsylvania and Montana have filed seven
other federal lawsuits. All make similar allegations about what the credit
unions describe as a massive data breach.

Arby's said in a statement Monday that it's not commenting on the pending
litigation, but "we believe the claims are without merit and intend to
vigorously defend against them."

>From late October through Jan. 19, "hundreds of thousands, if not millions,
of credit and debit cards issued by financial institutions, including
Plaintiff, were compromised due to Arby's severely inadequate security
practices," North Alabama Educators Credit Union states in its lawsuit
filed last month.

"Arby's actions and omissions left highly sensitive Payment Card Data of
the Plaintiff's customers exposed and accessible for hackers to steal for
nearly three months," the Alabama credit union maintains.

In the latest lawsuit, Jacqueline and Joseph Weiss of Glastonbury,
Connecticut, say computer hackers used data-looting malware to penetrate
systems at about 1,000 Arby's restaurants during the breach.

In December 2016, the couple discovered thousands of dollars in
unauthorized charges on the Visa card they'd used at an Arby's in
Connecticut, they say in their lawsuit filed last week.

The Weiesses' lawsuit asserts that a credit union organization alerted its
members that at least 355,000 credit and debit cards were compromised by
the Arby's breach.

By installing malware at the "Point Of Sale" or cash register, hackers were
able to "steal payment card data from remote locations as a card was swiped
for payment," Indiana-based Midwest America Federal Credit Union claimed in
a February lawsuit.

Arby's "knew the danger of not safeguarding its POS network as various high
profile data breaches have occurred in the same way, including data
breaches of Target, Home Depot and, most recently, Wendy's," the Indiana
credit union maintains in its lawsuit.

Lawyers for the Weisse's say the threat isn't over.

"There is a strong probability that entire batches of stolen information
have yet to be dumped on the black market," they state, meaning Arby's
customers "could be at risk of fraud and identity theft for years into the
future."

It's not clear whether a criminal investigation has been opened in the
Arby's breach. The FBI's policy is not to confirm or deny whether a matter
is being investigated, FBI Special Agent Stephen Emmett said Monday.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170328/dcc6f33a/attachment.html>