Jimmy John's, the nationwide chain offering “gourmet sandwiches,” confirmed today that a security breach involving one of its payment vendors compromised customer data at 216 different locations throughout the country (out of roughly 1,900 locations in all).
Security blogger Brian Krebs first reported the possibility of a breach in July; at the time, his sources in various financial institutions mentioned seeing a spike in fraud complaints involving cards which had been used at a Jimmy John's at some point.
Jimmy John's blames the breach on an unnamed payment vendor (which Krebs' sources suspect is actually Signature Systems, Inc.).
Whoever the vendor is, Jimmy John's said that someone stole login credentials from that vendor, and used them to remotely access point-of-sale systems to steal data between June 16 and Sept. 5 of this year.
The company issued a statement saying “Approximately 216 stores appear to have been affected by this event … Cards impacted by this event appear to be those swiped at the stores, and did not include those cards entered manually or online. The credit and debit card information at issue may include the card number and in some cases the cardholder’s name, verification code, and/or the card’s expiration date. Information entered online, such as customer address, email, and password, remains secure.”
So far, which specific stores used the breached payment vendor in question hasn't been announced, so to play it safe: if you visited any Jimmy Johns location and used a payment card between June 16 and Sept. 5, keep an extra-sharp eye on your account activity.