Jimmy John’s became the latest high profile retailer to report a possible breach of their point-of-sale system and a compromise of cardholder data. Jimmy John’s operates over 2,000 “gourmet sandwich” restaurants in 42 states.
According to a statement issued on September 24th, the learned of the security incident On July 30, 2014.They said ” It appears that customers’ credit and debit card data was compromised after an intruder stole log-in credentials from Jimmy John’s point-of-sale vendor and used these stolen credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16, 2014 and September 5, 2014.”
The company originally stated that 216 locations had been compromised, but added another 108 to the list on Friday. Jimmy John’s asserts that the compromise has been contained and customers can use their credit and debit cards securely at Jimmy John’s stores.
Cards impacted by this event appear to be those swiped at the stores, and did not include those cards entered manually or online.
Jimmy John’s and its POS vendor are not able to identify individual cardholders at risk, but has published a list of locations believed to involved and warns customers who used those stores during the impacted period to be on alert.
The POS vendor, Signature Systems, uses remote control and management software to service the POS. This saves money compare to sending a tech out to the location, but the hackers were able to use that software to obtain access.
This not entirely new news. The security blogger Brian Krebs report on a possible breach at Jimmy John’s last July. Krebs has broken a series of high profile stories on POS data breaches over the past year, from the Target Data breach last year to the Backoff malware that has been hitting retail hard over the past 3 months.