Euro Security Watch with Mathew J. Schwartz

Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)

Jason's Deli: Hackers Dine Out on 2 Million Payment Cards

164 Restaurants Featured Malware Special for 7 Months
Jason's Deli: Hackers Dine Out on 2 Million Payment Cards
Photo: Picture Des Moines, via Flickr/CC

Jason's Deli is the latest business in the hospitality or retail sector to confirm that attackers have stolen its customers' credit and debit card details, leading to fraud.

See Also: eBook: Secure Remote Access Simplified

The privately owned business, based in Beaumont, Texas, operates 266 restaurants in 28 states.

The restaurant chain's Jan. 11 data breach notification says it believes 2 million payment cards were stolen from 164 restaurants in 14 states.

As with so many breaches before - from Chipotle and Wendy's to Hilton and Trump Hotels - these "we were hacked" reports follow a well-worn, depressing narrative (see 'Where's the Breach?').

Here's the short version:

  • Intrusion: Cybercriminals successfully install RAM-scraping malware onto one or more point-of-sale devices;
  • Fraud: The breached business discovers the intrusion only after card issuers spot patterns of payment fraud that traced back to their organization (see Forever 21 Suffered 7-Month POS Malware Attack);
  • Investigation: The potentially breached business then calls the FBI or Secret Service and hires a third-party firm to investigate, issuing a press release to that effect, typically on a Friday to try and bury the bad news;
  • Findings: After the investigation concludes, the business says it's working with card issuers to flag affected payment cards. The breached business may - although typically will not - quantify how many customers and payment cards it believes were infected;
  • Lawsuit: Some batch of customers will take to social media, threatening to sue, and one or more lawsuits seeking class action status will be filed, with the vast majority of them getting thrown out because consumers cannot prove financial harm (see Why So Many Data Breach Lawsuits Fail).

Breach: Jason's Deli

Here's where we are with that narrative, Jason's Deli style:

"On December 22, 2017, Jason's Deli was notified by payment processors that credit card security personnel had informed it that a large quantity of payment card information had appeared for sale on the 'dark web,' and that an analysis of the data indicated that at least a portion of the data may have come from various Jason's Deli locations," the company says in its breach notification.

The company issued an initial heads-up on the investigation, six days after launching that investigation, noting that it was working with law enforcement agencies and had hired third-party digital forensic investigators (see Data Breach Notifications: What's Optimal Timing?).

"From our initial investigation findings, criminals deployed RAM-scraping malware on a number of our point-of-sales (POS) terminals at various corporate-owned Jason's Deli restaurants ... starting on June 8, 2017," it adds. "During the course of the investigation, our response team contained the security breach and has also disabled the malware in all of the locations where it was discovered."

The restaurant chain has published a list of all restaurants affected by the breach, and recommends that customers review that list as well as their payment card statements to look for unusual activity.

Jason's Deli's breach notification includes a list of the 164 restaurants - across 14 states - that were infected with POS malware during the seven-month infection window.

Kudos to the restaurant chain for quantifying the lost card data: It suspects that about 2 million payment card details - including cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code - went missing.

Jason's Deli previously suffered a POS malware breach in 2010.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.