SHARE

By of the

Jimmy John's confirmed Wednesday that it had a nationwide data breach at 216 locations this summer, including five sandwich restaurants in Wisconsin — Milwaukee, Sheboygan, Oshkosh, Portage and River Falls.

The breach lasted from June 16 to Sept. 5, 2014, depending on the location. Jimmy John's has not said how many cards were affected.

Hackers may have stolen credit and debit card numbers and in some cases the cardholder's name, verification code and/or the card's expiration date, Jimmy John's said in a news release Wednesday.

The company said information entered online, such as customer address, email and password, was secure.

The Wisconsin Jimmy John's stores affected and the time frames are:

■ Oshkosh (70 Wisconsin St.): June 16, 2014, through Aug. 1, 2014

■ Milwaukee (1532 W. Wells St. — at Marquette University's campus): June 16, 2014, through Aug. 7, 2014

■ Portage (2643 New Pinery Road): July 23, 2014, through Aug. 1, 2014

■ River Falls (477 Spruce St.): June 16, 2014, through Aug. 8, 2014

■ Sheboygan (2633 Calumet Ave.): July 1, 2014, through Aug. 1, 2014.

A full list of the stores hit in the data breach and time frames is available on Jimmy John's website.

There are more than 1,900 Jimmy Johns locations nationwide, so the breached locations represent about 11%.

Jimmy John's' confirmation of the breach comes nearly two months after cyber security reporter Brian Krebs of the website Krebs On Security first reported on July 31 that banks were seeing a pattern of fraud on cards recently used at Jimmy John's.

The company said it started investigating on July 30.

Hackers are able to intercept card information because there's a split second during the payment transaction — between the time when the consumer swipes his or her card and the time it's stored on the company's servers — where the information isn't encrypted.

That's when malware can capture it.

Malware installed on the payment terminals was responsible for the Home Depot and Target breaches.

Jimmy John's said hackers obtained access by stealing login credentials from the company's "point-of-sale" vendor. The company said it's now safe for customers to use their credit and debit cards at the chain.

"Jimmy John's has taken steps to prevent this type of event from occurring in the future, including installing encrypted swipe machines, implementing system enhancements, and reviewing its policies and procedures for its third party vendors," the company said in its news release.

Target and Home Depot have also transitioned to full encryption.

This may not prevent the breach itself, but it means hackers would only be able to obtain useless, garbled information.

The Jimmy John's data breach confirmation comes less than a week after the Home Depot confirmed a breach involving 56 million cards.

Michael Bruemmer, vice president of Experian's data breach resolution group, said data breaches are a growing problem.

He estimated there was a 10% increase last year, but said only the biggest breaches ever become public knowledge.

"Many times, breaches go underreported," he told the USA Today. "We have seen the recent retail breaches coming once every one week, or two weeks. On average, you're having between 600 and 700 breaches that are reported nationally.

Experian, last year alone, serviced 2,300 different incidents. Like an iceberg, only about 15% of breaches that occur are reported and make the media."

The breaches are also larger now, he said.

"Some of the breaches that were two or three million last year are now in the tens or hundreds of millions," he said.

Many businesses don't realize they've had a breach until hackers start selling stolen card information or card holders begin to report fraudulent charges.

The Journal Sentinel found information on at least 282,300 cards used in Wisconsin Home Depot stores for sale on an underground website.

Wisconsin banks are currently sending out replacement cards to some consumers whose cards may have been at risk.

Like Home Depot and Target, Jimmy Johns is offering free identity protection services to impacted customers through Sept. 24, 2015. The service is through AllClear ID, the same company that handles Home Depot's identity theft protection.

Consumers don't need to sign up for the service.

"Access to this service is automatically available to you with no enrollment required on your part," Jimmy John's said. "If a problem arises, simply call (855) 398-6442 and a dedicated investigator will do the work to recover financial losses, restore your credit, and make sure your identity is returned to its proper condition."

Jimmy John's also encourages its customers to monitor their credit and debit card accounts and notify their banks if they see suspicious activity on their cards.

Want more consumer stories, viral stories, scam alerts, tips and the occasional freebie? Visit the Public Investigator blog at jsonline.com/piblog.

Facebook: fb.me/GitteLaasbyPage

Twitter: @GitteLaasbyMJS

Consumer tips

Consumers can protect themselves against identity theft and credit card fraud by taking a few simple steps:

■ Sign up for free text or email alerts from your bank when a charge is made on your account.

■ Use your card as a credit, not a debit card. This caps your potential financial liability at $50.

■ Sign up for the free credit monitoring offered by the hacked businesses.

■ Get your free credit report www.annualcreditreport.com to make sure no one opened accounts or lines of credit in your name.

■ Report any unauthorized charges or suspicious activity on your account to police and the issuer of your card.

■ If you're getting a new card, request a "smart card" that requires both a PIN code and a chip during payment. They are safer, but won't make a difference during online purchases. Only a limited number of stores take them, but all U.S. stores are required to by October 2015 or accept financial responsibility for any fraud.