Fast food chain Arby’s confirmed that credit card data was stolen from thousands of its customers due to a data breach that took place last month.
According to a report from cybersecurity expert Brian Krebs, the company discovered the breach in mid-January and that it impacted roughly 1,000 corporate restaurant locations but only one of its franchise restaurants.
Krebs noted that the first mention of the breach came from a Credit Union Service Organization (CUSO) called PSCU, which sent out a non-public alert to the 800 credit union member banks it serves advising that it had received a list of compromised card numbers from Mastercard and Visa.
Though the retailer wasn’t named at the time, PSCU said more than 355,000 credit and debit cards issued by PCSU-associated banks were compromised in the data breach.
“Hundreds of thousands of cards is a big number, and with the Wendy’s breach, the alerts we were getting from Visa and MasterCard were in the six-digit ranges for sure,” B. Dan Berger, president and CEO of the National Association of Federal Credit Unions, told Krebs. “That’s probably one of the biggest numbers I’ve heard.”
An Arby’s spokesperson told Fortune that the malware infection on its point-of-sales systems, which led to the breach, was eliminated. Arby’s reportedly alerted law enforcement after learning of the attack and is working with several cybersecurity firms, including Mandiant, as it continues investigating the breach.
Last year, another popular fast food chain also felt the burn of a large-scale data breach.
Wendy’s — the maker of America’s third best-known fast food burger — reported that despite initial reports of 300 restaurants being impacted by a probable data breach back in January 2016, the number was actually quite a bit bigger. The chain confirmed later in June that additional instances of unusual card activity were discovered at some franchise-operated locations, leading to the discovery of the new and more extensive malware infiltration on its POS systems.