Between approximately October 25, 2016 and January 19, 2017, POS malware infected corporate-owned Arby’s restaurant locations across the United States. Franchise locations were not affected. Arby’s was reportedly notified of the breach by industry partners (payment card networks detecting fraud patterns) in mid-January 2017 but remained silent at the request of the FBI while the investigation continued. The breach was publicly disclosed in February 2017 after Krebs on Security reported on it. PSCU (a credit union service organization) confirmed that over 355,000 cards issued by its member credit unions were compromised, though the total number of affected cards across all financial institutions was higher. Stolen data included Track 1 and Track 2 magnetic stripe data (cardholder names, card numbers, expiration dates, service codes, CVV). Mandiant was engaged to conduct the forensic investigation. Four credit unions and the Michigan Credit Union League filed class-action suits against Arby’s.