Jimmy John's Confirms Data Breach

Payment Cards Used at 216 Restaurants Potentially Affected

The restaurant chain Jimmy John's has confirmed a payment card data breach that affected about 216 of its locations in 40 states.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

Potentially exposed information includes card numbers and, in some cases, the cardholder's name, verification code and/or the card's expiration date. Information entered online, such as customer address, e-mail and password, remains secure, the company says. The Champaign, Ill.-based restaurant chain, which has more than 2,000 locations, did not reveal how many cards were potentially impacted.

Jimmy John's has provided a list of every location impacted by the breach and the time span of each compromise.

Investigation Details

The fast-food chain learned of a possible security breach on July 30 involving credit and debit card data at some of its locations, it says in a Sept. 24 statement. The company hired third-party forensics experts to assist with an investigation.

Although its investigation is ongoing, the company says it appears that customers' payment card data was compromised after an intruder stole log-in credentials from its "point-of-sale vendor" and used the credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16 and Sept. 5 and install malware.

The malware has been removed, the company reports. "Jimmy John's has taken steps to prevent this type of event from occurring in the future, including installing encrypted swipe machines, implementing system enhancements and reviewing its policies and procedures for its third-party vendors."

The restaurant chain is offering affected individuals free identity protection services. It declined to provide additional information beyond what's posted on its website.