Lawsuits: Hackers stole customer data at 1,000 Arby’s stores

Posted at 5:27 PM, Mar 27, 2017
and last updated 2017-03-27 17:27:14-04

ATLANTA (AP) — Georgia-based Arby’s restaurant chain failed to prevent hackers from stealing customer information at hundreds of its stores, a Connecticut couple said in a new federal lawsuit.

Since early February, eight credit unions and banks from Indiana, Alabama, Arkansas, Louisiana, Michigan, Pennsylvania and Montana have filed seven other federal lawsuits. All make similar allegations about what the credit unions describe as a massive data breach.

Arby’s said in a statement Monday that it’s not commenting on the pending litigation, but “we believe the claims are without merit and intend to vigorously defend against them.”

From late October through Jan. 19, “hundreds of thousands, if not millions, of credit and debit cards issued by financial institutions, including Plaintiff, were compromised due to Arby’s severely inadequate security practices,” North Alabama Educators Credit Union states in its lawsuit filed last month.

“Arby’s actions and omissions left highly sensitive Payment Card Data of the Plaintiff’s customers exposed and accessible for hackers to steal for nearly three months,” the Alabama credit union maintains.

In the latest lawsuit, Jacqueline and Joseph Weiss of Glastonbury, Connecticut, say computer hackers used data-looting malware to penetrate systems at about 1,000 Arby’s restaurants during the breach.

In December 2016, the couple discovered thousands of dollars in unauthorized charges on the Visa card they’d used at an Arby’s in Connecticut, they say in their lawsuit filed last week.

The Weiesses’ lawsuit asserts that a credit union organization alerted its members that at least 355,000 credit and debit cards were compromised by the Arby’s breach.

By installing malware at the “Point Of Sale” or cash register, hackers were able to “steal payment card data from remote locations as a card was swiped for payment,” Indiana-based Midwest America Federal Credit Union claimed in a February lawsuit.

Arby’s “knew the danger of not safeguarding its POS network as various high profile data breaches have occurred in the same way, including data breaches of Target, Home Depot and, most recently, Wendy’s,” the Indiana credit union maintains in its lawsuit.

Lawyers for the Weisse’s say the threat isn’t over.

“There is a strong probability that entire batches of stolen information have yet to be dumped on the black market,” they state, meaning Arby’s customers “could be at risk of fraud and identity theft for years into the future.”

It’s not clear whether a criminal investigation has been opened in the Arby’s breach. The FBI’s policy is not to confirm or deny whether a matter is being investigated, FBI Special Agent Stephen Emmett said Monday.