Lawsuits: Hackers stole customer data at 1,000 Arby’s stores

Arby's Restaurant Group failed to prevent hackers from stealing customer information at hundreds of its locations, a Connecticut couple says in a new federal lawsuit.

Since early February, eight credit unions and banks from Indiana, Alabama, Arkansas, Louisiana, Michigan, Pennsylvania and Montana have filed seven other federal lawsuits. All make similar allegations about what the credit unions describe as a massive data breach.

Atlanta-based Arby's said in a written statement Monday that it's not commenting on the pending litigation, but "we believe the claims are without merit and intend to vigorously defend against them."

From late October through Jan. 19, "hundreds of thousands, if not millions, of credit and debit cards issued by financial institutions, including Plaintiff, were compromised due to Arby's severely inadequate security practices," the North Alabama Educators Credit Union said in its lawsuit filed last month.

"Arby's actions and omissions left highly sensitive Payment Card Data of the Plaintiff's customers exposed and accessible for hackers to steal for nearly three months," the Alabama credit union said in the suit.

In the latest lawsuit, Jacqueline and Joseph Weiss of Glastonbury, Connecticut, say computer hackers used data-looting malware to penetrate systems at about 1,000 Arby's restaurants during the breach.

In December 2016, the couple discovered thousands of dollars in unauthorized charges on the Visa card they'd used at an Arby's in Connecticut, they say in their lawsuit filed last week.

The Weiesses' lawsuit asserts that a credit union organization alerted its members that at least 355,000 credit and debit cards were compromised by the Arby's breach.

By installing malware at the "Point Of Sale" or cash register, hackers were able to "steal payment card data from remote locations as a card was swiped for payment," Fort Wayne-based Midwest America Federal Credit Union claimed in a February lawsuit.

Arby's "knew the danger of not safeguarding its POS network as various high profile data breaches have occurred in the same way, including data breaches of Target, Home Depot and, most recently, Wendy's," the Indiana credit union maintains in its lawsuit.

Lawyers for the Weisse's say the threat isn't over.

"There is a strong probability that entire batches of stolen information have yet to be dumped on the black market," they said, meaning Arby's customers "could be at risk of fraud and identity theft for years into the future."

It's not clear whether a criminal investigation has been opened in the Arby's breach. The FBI's policy is not to confirm or deny whether a matter is being investigated, FBI Special Agent Stephen Emmett said Monday.

Please enable JavaScript to view this content.

Story Continues Below

Editor's note: You can comment on IBJ stories by signing in to your IBJ account. If you have not registered, please sign up for a free account now. Please note our updated comment policy that will govern how comments are moderated.

{{ articles_remaining }}
Free {{ article_text }} Remaining
{{ articles_remaining }}
Free {{ article_text }} Remaining Article limit resets on
{{ count_down }}