News

Jimmy John's confirms data breach

Data stolen via compromised POS devices included card numbers and, in some cases, the cardholder's name and the card's expiration date and ccv number.

September 25, 2014

Jimmy John's has confirmed that customer credit and debit card data was potentially compromised between June 16 and Sept. 5, according to a statement issued by the company.

The franchise restaurant chain was alerted to the possible breach on July 30, according to the statement. Krebs on Security broke the news of a possible breach on July 31.

The chain has hired third-party forensic experts to investigate; early results indicate that:

• data compromised included the card number and in some cases the cardholder's name and the card's expiration date and ccv number;
• the intruder gained access using stolen login information from the POS vendor for Jimmy John's;
• the stolen login credentials were used to gain access to POS systems at some corporate and franchise locations;
• a total of 216 stores were affected; the location and date of exposure for each are listed at jimmyjohns.com; and
• only cards swiped at these stores have potentially been compromised. Cards entered manually and those used for online purchases are not affected.

Jimmy John's said that the investigation is ongoing, but the breach has been contained.

"Jimmy John's has taken steps to prevent this type of event from occurring in the future, including installing encrypted swipe machines, implementing system enhancements, and reviewing its policies and procedures for its third party vendors," a company spokesperson said in the statement.

Jimmy John's is urging customers to monitor their accounts and notify their banks if they notice any suspicious activity. Jimmy John's is also offering identity protection services to impacted customers.