Popular US franchised sandwich restaurant chain Jimmy John’s has confirmed that it has suffered a data breach that affected approximately 216 of its stores all over the country.
The company was first notified of a possible security incident involving customers’ credit and debit card data on July 30, 2014, and immediately hired third party forensic experts to assist with the investigation.
“While the investigation is ongoing, it appears that customers’ credit and debit card data was compromised after an intruder stole log-in credentials from Jimmy John’s point-of-sale vendor and used these stolen credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16, 2014 and September 5, 2014,” the company shared.
“Cards impacted by this event appear to be those swiped at the stores, and did not include those cards entered manually or online. The credit and debit card information at issue may include the card number and in some cases the cardholder’s name, verification code, and/or the card’s expiration date. Information entered online, such as customer address, e-mail, and password, remains secure.”
The company says that they’ve contained the compromise, and that they will be installing encrypted swipe machines, implementing system enhancements, and reviewing its policies and procedures for its third party vendors in order to prevent similar breaches in the future.
As expected, they have provided free identity protection services to all customers who have used a credit/debit card at one of Jimmy John’s locations during the listed dates, and have warned potentially affected users of phishing emails and calls they might receive in the wake of this announcement.
According to Brian Krebs, the point-of-sale vendor whose log-in credentials were compromised is Pensylvania-based Signature Systems.