Count Jimmy John's as the latest data breach victim falling to a point-of-sale malware attack.
The sandwich chain today confirmed that 216 of its restaurants had been hit with an attack that began back in June, exposing its customers' credit and debit card information at those locations. The company said it hired third-party forensics experts to investigate a possible breach it first learned of on July 30.
According to Jimmy John's, the breach originated from stolen log-in credentials pilfered from its POS vendor, and encrypted POS swipe terminals have now been installed in stores.
The company said in a statement issued today:
While the investigation is ongoing, it appears that customers’ credit and debit card data was compromised after an intruder stole log-in credentials from Jimmy John’s point-of-sale vendor and used these stolen credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16, 2014 and September 5, 2014. The security compromise has been contained, and customers can use their credit and debit cards securely at Jimmy John’s stores.
Only payment cards that were swiped into POS terminals at those stores were exposed, not cards that were entered online or manually. Among the information exposed: card account numbers, cardholder names, verification codes, and expiration dates.
"Jimmy John’s has taken steps to prevent this type of event from occurring in the future, including installing encrypted swipe machines, implementing system enhancements, and reviewing its policies and procedures for its third party vendors," the chain said.
The company says the malware has been removed from its network. It's offering identity protection services to affected customers. The list of affected restaurant locations is here.