Jimmy John's Confirms Data BreachPayment Cards Used at 216 Restaurants Potentially Affected
Potentially exposed information includes card numbers and, in some cases, the cardholder's name, verification code and/or the card's expiration date. Information entered online, such as customer address, e-mail and password, remains secure, the company says. The Champaign, Ill.-based restaurant chain, which has more than 2,000 locations, did not reveal how many cards were potentially impacted.
Jimmy John's has provided a list of every location impacted by the breach and the time span of each compromise.
The fast-food chain learned of a possible security breach on July 30 involving credit and debit card data at some of its locations, it says in a Sept. 24 statement. The company hired third-party forensics experts to assist with an investigation.
Although its investigation is ongoing, the company says it appears that customers' payment card data was compromised after an intruder stole log-in credentials from its "point-of-sale vendor" and used the credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16 and Sept. 5 and install malware.
The malware has been removed, the company reports. "Jimmy John's has taken steps to prevent this type of event from occurring in the future, including installing encrypted swipe machines, implementing system enhancements and reviewing its policies and procedures for its third-party vendors."
The restaurant chain is offering affected individuals free identity protection services. It declined to provide additional information beyond what's posted on its website.