Sandwich chain Jimmy John’s has confirmed a data breach involving customer debit and credit card data at 216 of its stores.

A statement from Jimmy John’s reveals that a hacker obtained login credentials from credit card readers at both corporate and franchised locations between June 16 and September 5. The hack was discovered on July 30, a month and a half after the initial breach, and was contained on September 5, just over a month later.

Only cards swiped in JJ’s stores were affected, which will come as a relief to sub fans who order online. It has not been revealed how many cards were affected but a three-month-long attack at 216 stores suggests the number will be high.

Jimmy John’s has now installed card data encryption machines and is ‘reviewing its policies and procedures for its third party vendors’.

The statement from Jimmy John’s suggests the involvement of a third party but a company name isn’t referenced.

For updates on this story, please subscribe to the IT Governance data breaches updates below:

[email-subscribers namefield=”YES” desc=”” group=”Databreachupdates”]