The size of a recent payment card breach may affect around 324 US restaurants.
As reported last week, the US sandwich chain is investigating a potential data breach at 216 of its sandwich shops that may affect credit and debit cards used at its franchises between June and September of this year.
However the breach is also being investigated by point of sale technology manufacturer Signature Systems, who believed that some 324 restaurants may be affected, according to a statement. Signature Systems discovered the intrusion in late July when malware was not been picked up by a restaurant’s anti-virus program, allowing an “unauthorised person” to gain access to a user name and password that Signature Systems used to remotely access POS systems.
Access was used to install malware that captured payment card data including the cardholder’s name, card number, expiration date, and verification code.
Signature Systems said that it had removed the malware from most of the affected locations within eight days (by August 5th), but for a small percentage, it was not able to completely remove the malware from all devices in the system until mid-September.
The stores affected include 216 Jimmy John’s stores, and 108 other restaurant locations. “The time frame during which payment cards may have been captured at an affected restaurant varies across the affected locations. June 16 is the earliest date that cards were at risk at certain locations,” it said.
Rob Cotton, CEO at global information assurance firm NCC Group, said: “The retail industry needs to take this threat extremely seriously as this is quickly turning into a systemic issue for the sector. This won’t be the last cyber attack like this and our concern is that even if retailers in technically sophisticated and comparatively affluent countries address this issue, the threat will simply move to less capable countries and retailers.”
Eric Chiu, president and co-founder of HyTrust, said: “The breach at Jimmy John’s is a repeat of the many breaches that have happened over the last twelve months starting with stolen credentials that were used to access large amounts of credit and debit card data without being detected. This is also highlighted by the fact that Jimmy John’s learned about the breach on July 30th and the investigation is still ongoing.
“This breach, on the heels of an FBI warning that disgruntled IT employees are a big security threat to this nation, also underscores the access that employees — as well as outside attackers posing as employees — have to steal data or wreak havoc with systems.”