Vendor: 100 Restaurants BreachedSignature Systems Says Jimmy John's Just One of the Victims
The point-of-sale vendor behind the recently confirmed Jimmy John's data breach has stepped forward, saying that along with the 216 impacted Jimmy John's locations, an additional 108 different restaurants were compromised (see: Jimmy John's Confirms Data Breach).
The announcement should prompt organizations to reach out to their business partners and vendors to ensure they've taken sufficient steps to protect their systems, says John Buzzard, manager for products and fraud operations at FICO Card Alert Service.
"Reach out to all of your relevant business partners and vendors to see what steps they have taken, outside of routine compliance, to scan and further protect their systems," he says. "Everyone should audit logins for third-party vendors and former employees to ensure that they are disabled when appropriate."
Signature Systems Breached
Signature Systems, Inc., which provides point-of-sale systems for restaurants, says an unauthorized person gained access to a username and password that the vendor used to remotely access POS systems.
"The unauthorized person used that access to install malware designed to capture payment card data from cards that were swiped through terminals in certain restaurants," Signature Systems says in a statement. Those stores impacted include local pizza restaurants, bakeries and bagel shops, among others, located in 18 states.
The malware was capable of capturing the cardholder's name, card number, expiration date and verification code from the magnetic stripe of the card, the vendor says. In addition, it was designed to avoid detection by anti-virus programs running on the POS systems.
Jimmy John's says the payment card breach affected about 216 of its locations in 40 states. The Champaign, Ill.-based restaurant chain, which has more than 2,000 locations, did not reveal how many cards were potentially impacted.
Signature Systems did not immediately respond to a request for additional information.
The earliest date that cards may have been captured is June 16, Signature Systems says. After learning of the potential breach on July 30, by Aug. 5, the vendor had removed the malware from most of the affected locations. "For a small percentage, we were not able to completely remove the malware from all devices in the system until mid-September," Signature Systems says.
Signature Systems says it cannot identify which specific cards were taken. As a result, it has provided a list of the affected restaurants and the timeframes of potential compromise.
"Although we know the affected locations and time frames when cards were at risk, we do not have access to transaction information that would let us know how many cards were used in those stores during the at-risk times," Signature Systems says.
Following the breach, the vendor has been working with the credit card networks and law enforcement to investigate the incident.
Managing the Risks
Signature Systems' announcement is a "relatively transparent statement" about the breach, FICO's Buzzard says. "Everyone in the industry has a much stronger ability to prevent fraud when they know what they are up against," he says.
The latest disclosure comes off the heels of the U.S. Secret Service's recent estimate that more than 1,000 U.S. businesses have had their systems infected by Backoff, a new point-of-sale malware that has been linked to numerous remote-access attacks (see: 1,000 Businesses Hit By POS Malware).
It also follows another vendor breach at C&K Systems, the vendor identified by Goodwill Industries International as the source of a breach that impacted about 330 of its stores (see: Goodwill Vendor Describes Breach).
And while Signature Systems doesn't identify Backoff as the malware involved, the situation serves as a reminder that organizations should be checking for possible malware infection, Buzzard says.
The overall message to send to vendors? "Prove to me that you are not in any way contributing to my overall exposure to risk through our business association," Buzzard says.
Payment Systems in 'Crisis Mode'
Avivah Litan, analyst at consultancy Gartner, says the card payment systems are in crisis mode. "The card companies and networks should have headed this off many years ago ... by rolling out EMV chip cards and tokenization more quickly, and with a sense of urgency," she says.
"We can't keep blaming retailers and third parties when the payment system itself is flawed and inherently insecure," Litan says. "Merchants and their vendors can't be expected to protect the magnetic stripe data. It's a losing proposition."