Credit Card Info Hacked At Penn Station Sub Shops

Penn Station is a chain of 238 sandwich shops around the country. It’s also the latest business to have its customers’ credit card info stolen.

The company first announced the breach on June 1 but has recently update the list of affected restaurants, saying that, as of June 5, it knows of at least 59 Penn Station shops in 9 states — Illinois, Indiana, Kentucky, Michigan, Missouri, Ohio, Pennsylvania, Tennessee, and West Virginia — that could be affected by the breach.

The full list of affected Penn Station shops is HERE.

Customers at these restaurants are advised to immediately check their credit card balances to see if there is any unusual activity. It also couldn’t hurt to check your credit reports to make sure no one is trying to open a new line of credit in your name.

Since the chain processes all debit cards as credit cards, it says that no PINs were compromised in the hack.

Penn Station says the data breach likely began in March and that the company made immediate changes to how it processes card payments. These changes were made at all Penn Station shops, not just those affected by the breach.

The problem was detected after a customer noticed abuse on his credit card shortly after using it at Penn Station. The company subsequently contacted its payment processor and federal authorities.

If you used your card at Penn Station and want to speak to someone at the chain, you can call 1-513-474-5957, Monday through Friday from 9 a.m. to 4 p.m. ET.

Restaurant Chain Reports Card Breach [BankInfoSecurity.com]

Thanks to Rob for the tip!

Comments

Edit Your Comment

  1. Evil_Otto would rather pay taxes than make someone else rich says:

    Sounds like an inside job, if it’s that many locations.

  2. consumed says:

    Does anyone pay with cash anymore?

    In other news, now I’m craving Penn Station and there isn’t one within a 600 mile radius of me. Thanks, Consumerist.

  3. marc6065 says:

    I am with you consumed. Why the hell are all these stupid people paying with credit/debit cards for small amounts. I was at Taco Bell the other day and their computer could not run the card of the guy in front of me, and he had no cash. It was for $4.28!!! What the hell is wrong with people paying with a card at 7-11, mcdonalds, taco bell etc , etc. One of these days those people are gonna shit if the computers go down for a few days.

    • JJFIII says:

      1. Some people prefer not to carry cash
      2. Some people get rewards and cash back on purchases
      3. Who the fuck are you to tell me how I should pay for something?
      4. LEGALLY, I am only responsible for $50 if it is compromised, but every single one of my credit cards protects me from dollar one.
      5. If my wallet gets stolen or lost or burns in a fire and I have cash, I lose. If I only have cards I lose nothing

    • rawrali says:

      I have a high interest rate checking account with my credit union. In order to earn the high interest rate, I have to use my debit card for at least 25 transactions every month. If I didn’t use my debit card on many of my low-ticket purchases, I would never qualify. I do always keep a bit of cash on me, but there is at least one reason why people do it.

    • jamar0303 says:

      Airline miles for me if paying by credit. And the general lack of ATMs (I think I can count the number of them in Tennessee on both my hands) that take my Chinese debit card (where most of my money goes nowadays) whereas it works for direct purchasing at any shop that takes Discover…

      I mean, I COULD write US checks off that account, but at over $7 a pop, do I want to?

  4. nybiker says:

    As someone who lives in New York City, I was thinking that the headline was about the various food stores in Penn Station, not an actual store called Penn Station.
    http://en.wikipedia.org/wiki/Pennsylvania_Station_(New_York_City)

    • coffeeculture says:

      same here…then i thought, man, who would want to voluntarily go to penn station?

  5. Quake 'n' Shake says:

    I always thought Penn Station was a weak NYC landmark to use as a name for a sandwich shop chain. Why not “Grant’s Tomb,” “South Ferry” or “69th Regiment Armory?”

  6. Emily says:

    I’d never heard of this chain and am surprised that diners find the “Penn Station” name appealing. Let us welcome you to our sister restaurants “Bus Depot” and “Port Authority.”

  7. unpolloloco says:

    “It also couldn’t hurt to check your credit reports to make sure no one is trying to open a new line of credit in your name.”

    What? How would someone with someone’s credit card number be able to open a new line of credit?

  8. goodpete says:

    Nice of them to offer a “Frequently Asked Questions.” But it would be better if they answered some “Good Questions” such as:

    Why was Penn Station storing credit card details?
    How were so many different shops targeted? Were credit card details being transmitted to a centralized location?
    Were the credit card details encrypted? If not, why?
    Why was Penn Station storing names off credit cards in addition to numbers?
    Is this sort of negligent behavior acceptable to credit card processors/issuers? If not, will Penn Station continue to be allowed to accept credit card details? Will they be audited in the future?

    It’s absolutely absurd that this sort of thing happens. There’s absolutely no reason for retail shops or eateries to be storing credit card details without express permission from customers. The only reason I can think for doing this would be to track purchases without customers’ consent or authorization and without appropriately compensating them (see: rewards programs). Even if they feel they MUST track customers’ purchases this way, they should be using 1-way hashes of the customers’ data. They should NOT be storing the data in a way it can be retrieved later.

    I ate at Penn Station today. They have great food and the people who work at my local Penn Station (thus far not listed as compromised) are wonderful people. But I’m never handing them my credit card again. They have lost my trust.

  9. suburbancowboy says:

    Why would you name your sub shop after Penn Station? You might as well call it Port Authority Bus Station Bathroom. Penn Station is a s***hole. I walk through it every day, and it has not one redeeming quality. Grand Central on the other hand is gorgeous and worth visiting just to look at.

    • JJFIII says:

      Yeah, it was such a bad name that they were able to start with one store and make 238 of them throughout the country. YOU of course are a business superstar who has opened many businesses with far greater names that have gone on to great success?
      Oh, and there is a company called Apple. If you think it through, Apple has zero connection to technology, and they seem to have done ok

      • dpeters11 says:

        Funny thing, if you do a Google search for apple, you don’t get a result for the fruit until around the third link, the wikipedia article. The rest of the first page is dominated by Apple, Inc.