Jason's Deli: Hackers Dine Out on 2 Million Payment Cards164 Restaurants Featured Malware Special for 7 Months
Jason's Deli is the latest business in the hospitality or retail sector to confirm that attackers have stolen its customers' credit and debit card details, leading to fraud.
The privately owned business, based in Beaumont, Texas, operates 266 restaurants in 28 states.
"As with so many breaches before ... these 'we were hacked' reports follow a well-worn, depressing narrative."
The restaurant chain's Jan. 11 data breach notification says it believes 2 million payment cards were stolen from 164 restaurants in 14 states.
Here's the short version:
- Intrusion: Cybercriminals successfully install RAM-scraping malware onto one or more point-of-sale devices;
- Fraud: The breached business discovers the intrusion only after card issuers spot patterns of payment fraud that traced back to their organization (see Forever 21 Suffered 7-Month POS Malware Attack);
- Investigation: The potentially breached business then calls the FBI or Secret Service and hires a third-party firm to investigate, issuing a press release to that effect, typically on a Friday to try and bury the bad news;
- Findings: After the investigation concludes, the business says it's working with card issuers to flag affected payment cards. The breached business may - although typically will not - quantify how many customers and payment cards it believes were infected;
- Lawsuit: Some batch of customers will take to social media, threatening to sue, and one or more lawsuits seeking class action status will be filed, with the vast majority of them getting thrown out because consumers cannot prove financial harm (see Why So Many Data Breach Lawsuits Fail).
Breach: Jason's Deli
Here's where we are with that narrative, Jason's Deli style:
"On December 22, 2017, Jason's Deli was notified by payment processors that credit card security personnel had informed it that a large quantity of payment card information had appeared for sale on the 'dark web,' and that an analysis of the data indicated that at least a portion of the data may have come from various Jason's Deli locations," the company says in its breach notification.
The company issued an initial heads-up on the investigation, six days after launching that investigation, noting that it was working with law enforcement agencies and had hired third-party digital forensic investigators (see Data Breach Notifications: What's Optimal Timing?).
"From our initial investigation findings, criminals deployed RAM-scraping malware on a number of our point-of-sales (POS) terminals at various corporate-owned Jason's Deli restaurants ... starting on June 8, 2017," it adds. "During the course of the investigation, our response team contained the security breach and has also disabled the malware in all of the locations where it was discovered."
The restaurant chain has published a list of all restaurants affected by the breach, and recommends that customers review that list as well as their payment card statements to look for unusual activity.
Jason's Deli's breach notification includes a list of the 164 restaurants - across 14 states - that were infected with POS malware during the seven-month infection window.
Kudos to the restaurant chain for quantifying the lost card data: It suspects that about 2 million payment card details - including cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code - went missing.
Jason's Deli previously suffered a POS malware breach in 2010.