If you ate at an Arby’s location from Halloween 2016 to Martin Luther King Jr. Day last month, a data breach may have put your financial information at risk.
Arby’s is the latest to be hit
An investigation into suspected malware on the chain’s Point of Sale (POS) systems at corporate locations began in January.
On Feb. 9, an Arby’s spokesperson confirmed to Krebs on Security that the company’s payment card system had been compromised.
The malware, which captured customers’ card info with every swipe, was placed on payment systems inside Arby’s corporate stores. Franchise locations were not impacted.
Arby’s has more than 1,000 corporate locations, though it says not all of those stores were involved in the breach. The company has not disclosed exactly how many locations were involved.
The breach is believed to have taken place between between Oct. 25, 2016 and January 19, 2017.
We’ll keep you updated when Arby’s releases further info.
Regardless of how this story develops, there are some things you need to keep in mind whenever you hear about these increasingly common data breaches.
Watch your statements carefully
If you’re among those hit by the Arby’s breach, you need to go through your credit card and debit card statements this month and next month with a fine tooth comb. Identify any bogus charges the crooks may have pushed through and dispute them immediately with your bank or credit card company.
Use an abundance of caution
Maybe weeks or months down the road, you get an email, letter, or phone call that looks like it comes from Arby’s. It’s a danger known as ‘pretexting.’
If the crooks have your contact info, which has not yet been determined in this case, they would how to get in touch with you. And the reality is it’s so easy for criminals to ape the exact look and feel of an Arby’s communication, or any other institution for that matter.
That’s a one-two punch that can lead you to drop your defenses when you should be most alert. In a classic pretext scam, you’ll be told Arby’s is trying to prevent crooks from draining your account… and then you’ll be asked you for all the info the real crooks need to do just that!
Here’s the rule going forward. Do not click on any link in any email you receive purporting to be from Arby’s. Do not dial any number listed as a phone number in any email.
If you believe Arby’s is trying to get in touch with you, you must log out from your email and go directly to Arby’s website on your own to find the true contact info. Do not sign in on any communication that comes to you where it says “click here to sign in.”
Limit the risks from debit cards by setting up a separate account
The reality is customers who use debit cards are hit hardest by any breach. If you wish to continue using debit in the future, be sure you tie it into a separate account that’s only used for debit transactions. Think of it as your ‘walking around’ money. That way, only that money you transfer to your separate account is at risk in a breach. Not the money you need to pay your mortgage or a car note, or to put food on the table!
Understand the real dangers of debit vs. credit
To understand just how bad debit cards are, you first have to look at the consumer protections afforded to credit cards. In a case like this breach where crooks potentially have your credit card number but not the physical card, normally that means zero dollar liability. In the worst case scenario, your maximum liability would be $50…and some issuers will waive even that.
If you used a debit card though, it’s a whole different story. Debit cards are dangerous to your wallet. They don’t have the normal protections under federal law offered by a credit card. With a breached debit card, you have only two days after you notice that money is gone from your account…or else your liability rises to $500. And under some circumstances, your liability with a debit card can be unlimited.
You should do a credit freeze right now
Offering free credit monitoring for a year is the default crouch position companies tend to go into when news of breach breaks. But all credit monitoring does is essentially put fraud alerts on your credit files with the three main credit bureaus. These alerts are meant to raise a flag to potential creditors, alerting them to carefully verify an applicant’s identity before extending credit. All too often these alerts are ignored.
There’s a better alternative and it’s called a credit freeze. You’ll pay zero to $10 per bureau to do a credit freeze, depending on your state, and it will shut a criminal down cold when they try to apply for new lines of credit in your name. You can find our credit freeze guide here; it will walk you through the easy process.