While security researchers are still talking about the Home Depot breach — Jimmy John’s is reporting a possible security breach at the popular submarine sandwich chain.
Recently, Home Depot confirmed that a data breach put about 56 million customer credit and debit cards at risk. In its official statement, Jimmy John’s revealed its breach involved both credit and debit card data captured at some of its corporate-owned and franchised stores. Specifically, about 216 stores appear to be affected by the event.
“We apologize for any inconvenience this incident may have on our customers,” the company said. “Jimmy John’s values the privacy and security of its customers’ information, and is offering identity protection services to impacted customers, although Jimmy John’s does not collect its customers’ Social Security numbers.”
How Did it Happen?
Jimmy John’s said it hired third-party forensic experts to assist with its investigation immediately upon learning of the incident.
The company doesn’t have all the answers yet. But early conclusions suggest customers’ credit and debit card data was compromised after an intruder stole log-in credentials from Jimmy John’s point-of-sale vendor and used them to remotely access the point-of-sale systems at restaurant locations between June 16, 2014 and September 5, 2014.
The cards involved in the security incident seem to be those swiped in physical stores rather than card numbers entered manually or online. The leaked information may include not only the credit and debit card numbers, but in some cases also the cardholder’s names, verification codes, and/or the expiration dates of the cards.
There is good news to report. For example, the information consumers entered online, such as their delivery addresses, e-mails, and passwords, is secure. Also, Jimmy John’s said the security compromise has been contained. The company has also taken measures to prevent these types of incidents from happening in the future. The company is installing encrypted swipe machines, implementing system enhancements, and reviewing its policies and procedures for its third-party vendors.
Get Used to It
We turned to Mike Davis, CTO at real-time endpoint threat detection firm CounterTack, to get his thoughts on the Jimmy John’s breach. He told us the recent attack illustrates that breaches are now just another part of life.
“The most important thing to remember in protecting one’s reputation following a breach is to try and shorten the time between when a breach occurs and when the company actually detects the how/where it was hacked,” Davis said.
As he sees it, companies need to take the Jimmy John’s breach as one more lesson to consider in their overall security strategies. The lesson is this: invest in technologies that will understand the context of the breach.
“Organizations that don’t have the technology in place that will provide this kind of context will find themselves in an awkward limbo of trying to figure out what happened while trying to dodge from responding to questions that they don’t have the answer to,” Davis said. “The less organizations know about their attacks, the longer they’ll be in the media spotlight.”
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.
