‘Wichcraft Sandwich Shops Reveal Credit Card Hack From 3 Months Ago

The 'wichcraft location in New York City's Bryant Park. (Photo: @wichcraft)

The ‘wichcraft location in New York City’s Bryant Park. (Photo: @wichcraft)

While it’s certainly not on the scale of the recent Target breach, ‘wichcraft, the chain of sandwich shops co-founded by Top Chef’s Tom Colicchio, announced yesterday that its payment card system for locations in NYC and San Francisco was compromised for several weeks earlier this year, giving hackers access to customers’ names, card numbers, security codes, and expiration dates.

According to a statement posted on the chain’s website [PDF], the hack began around Aug. 11 and continued until Oct. 2. While the company says it immediately took steps to prevent future hacks and that it’s working with law enforcement to help investigate the incident, there is no information provided as to why no announcement was made about the breach until Dec. 30.

“We take our obligation to safeguard your personal information very seriously,” reads the statement. “We are alerting affected customers about this incident so they can take steps to help protect their information.”

As happens in these situations, ‘wichcraft is reminding people to check their credit reports, and that they can get a free report once a year from each of the three main credit bureaus via http://www.annualcreditreport.com.

“We encourage you to remain vigilant by reviewing your account statements and monitoring your free credit reports,” writes ‘wichcraft. “If you believe your payment card may have been affected, we recommend that you immediately contact your bank or card issuer.”

‘wichcraft customers who wish to speak directly with someone at the company can call (866) 942-4272, ext. 6, Monday through Friday from 8:00 a.m. to 8:00 p.m. EST.

Read Comments4

Edit Your Comment

  1. MissPurdy says:

    How is it that these places don’t use a system that encrypts the card data? There is no reason to have the card number and expiration date on the site’s computer after the transaction has been sent, which should be done immediately after it’s swiped.

    • patorran says:

      Some companies may be under the misconception that if the data is being stored internally it is safe. The term “breach” isn’t in the vocabulary of the parties storing the data because “that’s a network/IT problem”. And besides, they may need that data for support purposes.

      Sadly I’ve seen arguments such as this first hand. PCI compliance shouldn’t be considered optional.

      • MissPurdy says:

        The card users name and the last four digits of their card number maybe is all the information they should need. I used to program POS systems for Micros a few years back and when I first started the job the entire CC number used to print on the voucher. The law changed in NYS to remove this information or it might have been a federal law, I don’t recall. We had to go to each site and update the software so all you see is the XXXX’s on the voucher and on the local system.

        Also these smaller sites should be transmitting that data right away and not holding it to run as a batch at a later time/date – that is where the trouble starts.

  2. PhillyDom says:

    How can these businesses lie so brazenly? If they really “take our obligation to safeguard your personal information very seriously,” they wouldn’t have waited three months to tell people.

    “We encourage you to remain vigilant…” Because we certainly won’t.