GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

Progress on the long road to faster payments

Patti Murphy

Direct mail dinosaur or diamond?

News

NEAA blends tradition, innovation

PCI SSC revises ecommerce guidance

CFPB regulates prepaid, Congress eyes CFPB

Arby's under the microscope after breach

Features

Jeff Shavitz

Views

The adjacent POS-sible

Dale S. Laszig
DSL Direct LLC

Education

Street SmartsSM:
Rebranding as an equipment leasing professional

John Tucker
1st Capital Loans LLC

Secrets: A contemporary legal take

Adam Atlas
Attorney at Law

Looking ahead: Fintech in 2017

Don Bush
Kount Inc.

Company Profile

Prospay Inc

New Products

Gain, retain customers with real-time analytics

Retention Intelligence
Womply

Compliant, automated cash discounts at the POS

Paylo
SignaPay

Departments

Letter from the editors

Readers Speak

Email prospecting tips that work

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

February 27, 2017  •  Issue 17:02:02

previous next

Arby's under the microscope after breach

Atlanta-based Arby's Restaurant Group Inc. disclosed Feb. 9, 2017, that a data breach may have affected more than 355,000 of its customers' credit and debit cards. Payment Systems for Credit Unions, a trade association representing more than 800 credit unions, notified Arby's in January 2017 when its card-issuing member banks traced thousands of compromised cards to select corporate stores in the fast food chain. PSCU analysts believe the POS systems became infected with malware between Oct. 25, 2016 and Jan. 19, 2017.

Christopher Fuller, Senior Vice President of Brand & Corporate Communications at Arby's, stated that not all corporate restaurants had been affected and emphasized the situation has been fully contained.

Noting in a Feb. 9 statement that consumer credit and debit cards have become a tempting menu item for fraudsters, B. Dan Berger, President and Chief Executive Officer of the National Association of Federally-Insured Credit Unions, called for a national standard of protection. "The continuing saga of retail data breaches has become a national nightmare," Berger stated. "Cybercriminals are on a binge to capture American consumers' valuable personal and financial data at every opportunity."

Berger said that data breaches climbed 40 percent in 2016, compared with the previous year, a record that is being surpassed in 2017. "In 2017, we have already hit 110 breaches, a 36 percent hike over the same time last year," he said. "[The Arby's] breach is another example of why Congress must act to implement national data security standards for retailers now."

Protecting PII

Berger additionally cited statistics from the Identity Theft Resource Center that found retailers were targeted in 45.2 percent of the 494 data breach incidents reported in 2016. He vowed to push for legislation designed to protect retailers while holding them responsible for breaches.

Berger said the NAFCU is seeking to pass legislation to protect credit unions that comply with the Gramm-Leach-Bliley Act. The federal law, passed in 1999, provides guidance to businesses and financial institutions on methods for managing and storing personally identifiable information (PII). The law requires companies to clearly, conspicuously and accurately disclose information-sharing practices and allow customers to opt out of sharing their information with third parties.

Malware's telltale footprint

Alex Vaystikh, a cybersecurity veteran with expertise in applied research and product development, is a founder and Chief Technology Officer at SecBI Ltd., an Israeli cybersecurity company. Vaystikh sees similarities between the Arby's breach and the highly publicized Target Corp. intrusion reported in 2013, because in both cases, malware operated within the merchant's network, collecting data and "exfiltrating" it over several months. "The malware spread from device to device, controlled remotely by an opportunistic hacker," he stated.

Vaystikh suggested the long span of the Arby's attack may indicate two distinct possibilities: Arby's may be operating without sensors (for example, network gateways that log the network behavior of their device populations), or the company lacks the analytics tools that can process the huge amounts of data generated by the gateways. "To date, the leading cause of breaches has been a lack of analytics to empower the security analysts," he said.

Arby's is working closely with the FBI and the cybersecurity firm Mandiant on the continuing post-mortem investigation and has taken measures to "eradicate the malware from systems at restaurants that were impacted," according to company representatives.

The company created a new website, http://arbys.com/security, where it will post updates on remedial activities. A statement on the website reminds guests to monitor their payment card accounts for suspicious activity. "If guests discover any unauthorized charges, they should report them immediately to the bank that issued their card," Arby's stated.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios