14 DAY TRIAL // Vendor of point-of-sale (PoS) equipment Signature Systems announced that an unauthorized person managed to infiltrate malware on its payment terminals in 324 restaurant locations across the United States.
The incident impacted credit and debit cards at 216 Jimmy John’s stores and franchised locations, announced by the sandwich chain on Wednesday.
Signature Systems has been blamed for compromising card data of Jimmy John’s customers, but the disclosure statement did not give any names, saying that “an intruder stole log-in credentials from Jimmy John’s point-of-sale vendor.”
In an official statement issued on Friday, Signature Systems informed that 108 other restaurant locations using its payment terminals were affected, apart from the Jimmy John’s ones.
It took three months to clear all affected systems of malware
The first sign of intrusion was traced back to June 16, when an unauthorized person used Signature Systems credentials for remote access to the PoS systems in the restaurants.
Once logged in, the perpetrator proceeded “to install malware designed to capture payment card data from cards that were swiped through terminals in certain restaurants.”
The information exposed consisted of the name of the cardholder, credit and debit card number, as well as expiration date and verification code from the magnetic stripe.
After receiving alerts of a possible breach on July 30 and during the ensuing week, the company cleared the malicious software from the payment terminals in most of the affected locations.
Removing the malware from all machines was not possible until mid-September. In the case of Jimmy John’s, the last unauthorized access happened on September 5.
Number of impacted customers is unknown
The company says that it could not identify the cards impacted by the incident and it does not have names or addresses of the potentially affected customers. As such, it falls in the hands of each individual that used their card at one of the compromised locations to notice fraudulent charges and notify the bank that issued the card.
A list of all affected locations and the timeframe of the compromise is provided in the disclosure announcement. In some cases, the breach lasted only a few days, but there are restaurants where even a three-month compromise period is given.
Most of the locations are pizza shops, but places serving other dishes are also on the list, such as Wings to Go, Costello's Italian Ristorante, Romanelli’s or Austin's Bar & Grill.
Signature Systems also provides details on what potentially affected customers can do in the case of fraudulent transactions on their cards.