Arby's Logo

Security

Arby’s Restaurant Group Notifies Customers of Payment Card Incident

Update - April 14, 2017 – The time frames that were listed when this notification was first posted varied by restaurant but in each case began no earlier than October 20, 2016 and ended no later than January 12, 2017. After further analysis, Arby’s believes that the start time for certain restaurants may be different than what was initially listed, although still within the October 20, 2016 to January 12, 2017 time frame. Additionally, for a small number of restaurants, the start time of the time frame may be as early as October 8, 2016. The time frames have been updated accordingly on the website.

California residents please click here
March 10, 2017

Arby’s Restaurant Group, Inc. (ARG) values the relationship our restaurants have with our guests and understands the importance of protecting payment card information. We want to inform you of an incident that may involve some of that information.

Upon learning of the incident, ARG immediately notified law enforcement and a thorough investigation was commenced. ARG learned of, and quickly took measures to contain and eradicate, malware that was present on the point-of-sale (POS) systems of certain restaurants. ARG believes that, by means of the malware, the intruder may have been able to access data from payment cards used during time frames that vary by restaurant but in each case begin no earlier than October 20, 2016 and end no later than January 12, 2017.

A list of restaurants apparently affected and specific timeframes can be found by clicking the Locations tab above. Only company-owned restaurants were impacted. In some instances, the malware appears to have identified data from the card’s magnetic stripe that included the cardholder name and number and in other instances the card data identified by the malware did not appear to include the cardholder name. It is possible that not every card was identified.

ARG has been working closely with the payment card companies regarding this matter. Payment card network rules generally state that cardholders are not responsible for fraudulent charges that are timely reported. Accordingly, ARG guests, like any cardholder, should promptly report unauthorized charges to the bank that issued their card.

For more information regarding this incident, guests can call 1-800-599-2729 between the hours of 7:00 a.m. and 11:00 p.m. CST.

MORE INFORMATION ON WAYS TO PROTECT YOURSELF

We remind you it is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:

Equifax Experian TransUnion
Phone: 1-800-685-1111
P.O. Box 740256
Atlanta, Georgia 30348
www.equifax.com
Phone: 888-397-3742
P.O. Box 9554
Allen, Texas 75013
www.experian.com
Phone: 888-909-8872
P.O. Box 105281
Atlanta, GA 30348-5281
www.transunion.com

If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows:

Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW Washington, DC 20580, 1-877-IDTHEFT (438-4338), www.ftc.gov/idtheft

If you are a resident of Maryland, you may contact the Maryland Attorney General’s Office at
200 St. Paul Place, Baltimore, MD 21202, www.oag.state.md.us, 1-888-743-0023.

If you are a resident of North Carolina, you may contact the North Carolina Attorney
General’s Office at 9001 Mail Service Center, Raleigh, NC 27699, www.ncdoj.gov, 1-919-716- 6400.

If you are a resident of Massachusetts, note that pursuant to Massachusetts law, you have the right to obtain a copy of any police report.

Massachusetts law also allows consumers to request a security freeze. A security freeze prohibits a credit reporting agency from releasing any information from your credit report without written authorization. Be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services.

The fee for placing a security freeze on a credit report is $5.00. If you are a victim of identity theft and submit a valid investigative report or complaint with a law enforcement agency, the fee will be waived. In all other instances, a credit reporting agency may charge you up to $5.00 each to place, temporarily lift, or permanently remove a security freeze. If you have not been a victim of identity theft, you will need to include payment to the credit reporting agency to place, lift, or remove a security freeze by check, money order, or credit card.

To place a security freeze on your credit report, you must send a written request to each of the three major reporting agencies by regular, certified, or overnight mail at the addresses below:

Equifax Security Freeze, PO Box 105788, Atlanta, GA 30348, www.equifax.com
Experian Security Freeze, PO Box 9554, Allen, TX 75013, www.experian.com
TransUnion Security Freeze, PO Box 2000, Chester, PA 19022-2000, www.transunion.com

In order to request a security freeze, you will need to provide the following information:

  1. Your full name (including middle initial as well as Jr., Sr., II, III, etc.)
  2. Social Security number
  3. Date of birth
  4. If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years
  5. Proof of current address such as a current utility bill or telephone bill
  6. A legible photocopy of a government issued identification card (state driver's license or ID card, military identification, etc.)
  7. If you are a victim of identity theft, include a copy of the police report, investigative report, or complaint to a law enforcement agency concerning identity theft

The credit reporting agencies have three (3) business days after receiving your request to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number ("PIN") or password or both that can be used by you to authorize the removal or lifting of the security freeze.

To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze as well as the identity of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three (3) business days after receiving your request to lift the security freeze for those identified entities or for the specified period of time.

To remove the security freeze, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three (3) business days after receiving your request to remove the security freeze.

If you are a resident of West Virginia, you also have the right to ask that nationwide consumer reporting agencies place "fraud alerts" in your file to let potential creditors and others know that you may be a victim of identity theft. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also may delay your ability to obtain credit. You may place a fraud alert in your file by calling one of the three nationwide consumer reporting agencies. Contact information for each of the three credit reporting agencies is as follows:

Equifax, PO Box 740256, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111
Experian, PO Box 9554, Allen, TX 75013, www.experian.com, 1-888-397-3742
TransUnion, PO Box 2000, Chester, PA 19016, www.transunion.com, 1-800-680-7289

As soon as that agency processes your fraud alert, it will notify the other two, which then also must place fraud alerts in your file. You may choose between two types of fraud alert. An initial alert (Initial Security Alert) stays in your file for at least 90 days. An extended alert (Extended Fraud Victim Alert) stays in your file for seven years. To place either of these alerts, a consumer reporting agency will require you to provide appropriate proof of your identity, which may include your Social Security number. If you ask for an extended alert, you will have to provide an identity theft report. An identity theft report includes a copy of a report you have filed with a federal, state, or local law enforcement agency, and additional information a consumer reporting agency may require you to submit. For more detailed information about the identity theft report, visit www.ftc.gov/idtheft/.

You may also obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You have a right to place a security freeze on your credit report pursuant to West Virginia law. The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval.

The security freeze is designed to prevent credit, loans and services from being approved in your name without your consent. When you place a security freeze on your credit report, within five business days you will be provided a unique personal identification number (“PIN”) or password to use if you choose to remove the freeze on your credit report or to temporarily authorize the distribution of your credit report for a period of time after the freeze is in place. To provide that authorization, you must contact the consumer reporting agency and provide all of the following:

  1. The unique personal identification number (“PIN”) or password provided by the consumer reporting agency;
  2. Proper identification to verify your identity; and
  3. The period of time for which the report shall be available to users of the credit report.

A consumer reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report shall comply with the request no later than three business days after receiving the request.

A security freeze does not apply to circumstances in which you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account review, collection, fraud control or similar activities.

If you are actively seeking credit, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze, either completely if you are shopping around or specifically for a certain creditor, a few days before actually applying for new credit.

Substitute Notice for California

Update - April 14, 2017 – The time frames that were listed when this notification was first posted varied by restaurant but in each case began no earlier than October 20, 2016 and ended no later than January 12, 2017. After further analysis, Arby’s believes that the start time for certain restaurants may be different than what was initially listed, although still within the October 20, 2016 to January 12, 2017 time frame. Additionally, for a small number of restaurants, the start time of the time frame may be as early as October 8, 2016. The time frames have been updated accordingly on the website.

Arby’s Restaurant Group Notifies Guests of Payment Card Security Incident

NOTICE OF DATA BREACH

Arby’s Restaurant Group, Inc. (ARG) values the relationship our restaurants have with our guests and understands the importance of protecting payment card information. We want to inform you of an incident that may involve some of that information.

What Happened

ARG today provided further information regarding the previously disclosed payment card security incident involving certain U.S. restaurants.

Upon learning of the incident, ARG immediately notified law enforcement and a thorough investigation was commenced. ARG learned of, and quickly took measures to contain and eradicate, malware that was present on the point-of-sale (POS) systems of certain restaurants. ARG believes that, by means of the malware, the intruder may have been able to access data from payment cards used during time frames that vary by restaurant but in each case begin no earlier than October 20, 2016 and end no later than January 12, 2017.

What Information Was Involved

Only company-owned restaurants were impacted. In some instances, the malware appears to have identified data from the card’s magnetic stripe that included the cardholder name and number and in other instances the card data identified by the malware did not appear to include the cardholder name. It is possible that not every card was identified.

What You Can Do

A list of restaurants apparently affected and specific timeframes, along with steps guests can take, can be found here.

We remind you that it is always advisable to be vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card. Please see the section that follows this notice for additional steps you may take to protect your information.

What We Are Doing

ARG learned of, and quickly took measures to contain and eradicate, malware that was present on the point-of-sale (POS) systems of certain restaurants, and further enhanced our security measures. We have also notified law enforcement and are working with the payment card networks regarding this matter.

For More Information

For more information regarding this incident, guests can call 1-800-599-2729 between the hours of 7:00 a.m. and 11:00 p.m. CST.

Restaurants and Timeframes that Relate to this Notification

A list of restaurants apparently affected and specific timeframes can be searched using the look-up tool below. If you do not see a specific location when searching this tool, that restaurant has not been potentially impacted.

Please note that the specific timeframes in which a location was apparently affected varies by restaurant.