Jimmy John’s Confirms Credit Card Data Breach At 216 Locations

Months after it was first reported that payment systems at sandwich chain Jimmy John’s may have been compromised, the company is finally confirming that 216 of its stores were indeed hacked, putting customers’ credit and debit card data at risk.

In an announcement this morning, Jimmy John’s says that it learned of the breach back on July 30, around the same time that KrebsOnSecurity.com reported on the investigation.

The company says it immediately hired third party forensic experts to investigate, and though the probe still continues, Jimmy John’s is confirming that a breach did hit the 216 locations and lasted from June 16 through Sept. 5, more than a month after it learned of the attack.

The 216 stores represents about 11% of all Jimmy John’s locations.

The entry point for the hackers is believed to be stolen login credentials for the vendor Jimmy John’s uses to handle its point-of-sale transactions. With that access, the thieves were able to remotely access the payment systems the stores in question — both corporate and franchised — and siphon off customers’ card information.

Jimmy John’s claims their system is now secure and customers can safely use their cards to buy sandwiches.

Much like other recent hacks, this breach did not affect customers who paid online; only those who swiped their cards at the cash register were compromised.

Stolen info could include the customer’s card number, name, verification code, and/or the card’s expiration date.

The list of stores involved in the breach, along with the dates during which they may have been compromised can be found HERE.

It looks like most of the locations were locked down within a few days of the breach being detected. Some lingered until mid-August, and only one — a Jimmy John’s in Cedar Rapids, IA — made it all the way into September before the problem was fixed.

“We apologize for any inconvenience this incident may have on our customers,” reads a statement from the company, which offering free identity protection services to customers who ate at one of these locations for 12 months.

For more info on this program, call (855) 398-6442.

[via KrebsOnSecurity]