14 DAY TRIAL // A security incident that affected information related to credit and debit cards used at 216 locations across the United States has been confirmed by the Jimmy John’s sandwich chain.
The company learned of a possible breach on July 30, but it took almost two months to initiate an investigation, reach the conclusion that customer payment data was exposed, and determine that the amount of stores affected by the incident was 216.
After receiving alerts from financial institutions that fraudulent transactions were recorded on cards used at Jimmy John’s locations, the company started its own investigation, conducted by third-party forensic experts.
POS vendor at fault for the incident
The sandwich chain has over 1,900 locations across the US and most of them are franchises. This is an important detail because it means that there is no centralized payment system, which made the investigation more difficult.
However, the company recommends the use of particular point-of-sale (POS) systems, and it appears that the intruders managed to steal the log-in credentials from the agreed POS vendor and used them for remote access to the payment systems at corporate and franchised locations between June 16 and September 5.
Jimmy John’s announced in a breach disclosure post the affected stores and the dates of their compromise. It also informs that all the security measures to avoid a similar incident have been taken and that customers can use their credit and debit cards at their locations without running the risk of their data being compromised.
Only the cards swiped at the physical locations of the business have been impacted, as payment information collected via online purchases was not affected.
Sensitive info exposed, company adds increased security
The details exposed in the breach include the card number, the cardholder’s name, verification code, and/or the card’s expiration date. Jimmy John’s assures that all info entered online, such as email address and account password remained secure.
“Jimmy John’s has taken steps to prevent this type of event from occurring in the future, including installing encrypted swipe machines, implementing system enhancements, and reviewing its policies and procedures for its third party vendors,” the company said in a public statement.
News about the compromise was first published by security blogger Brian Krebs, who received the info from multiple financial institutions.
The investigation continues at this moment and there are no details on the number of customers affected by the incident.