By now you've surely noticed that, anytime you read the initial news story “Hackers breach this company's customer database,” there's always a followup story that goes something like, “Turns out, the hacking's even worse than initial reports indicated.”
So, on Sept. 24, the Jimmy John's sandwich chain confirmed that, yes: a security breach at one of Jimmy John's third-party payment vendors compromised customer data from all Jimmy John's stores that used it, at least 216 stores out of approximately 1,900 nationwide.
At the time, Jimmy John's didn't specify who that payment vendor was, but security blogger Brian Krebs (who first discovered the Jimmy John's breach) said his sources suspected the vendor was Signature Systems, Inc., and it was their point-of-sale systems that got hacked.
That was the initial story. Today, Krebs provided the “news is even worse” followup: Signature Systems confirmed that its compromised point-of-sale systems were not only behind the Jimmy John's breach, but also compromised customer data at over 100 other independent stores or businesses.
Signature Systems released a statement saying:
We have determined that an unauthorized person gained access to a user name and password that Signature Systems used to remotely access POS systems. The unauthorized person used that access to install malware designed to capture payment card data from cards that were swiped through terminals in certain restaurants. The malware was capable of capturing the cardholder’s name, card number, expiration date, and verification code from the magnetic stripe of the card. … This incident affected 216 Jimmy John’s stores and 108 other restaurant locations.
Not too helpful
Signature also provided a complete list of affected stores and businesses. (scroll down to the bottom of the page). However, that list isn't entirely useful because it only mentions company names, without street addresses, cities or even states.
This is helpful for identifying independent restaurants with unique, one-of-a-kind names – a Google search for the entry “Di Fiores Pizzeria and Italian Restaurant” brought up exactly one hit, that of Signature System's own list, and a search for the truncated “Di Fiores Pizza” brought up only a couple of dozen hits indicating a restaurant in Neffs, Pennsylvania.
But Signature's list also mentions that a “Mario's Pizza” was affected — and the U.S. has thousands of independent pizza restaurants going by that name and scattered across all 50 states.
Which was the one that used Signature's point-of-sale system to handle its payments? Right now, without knowing at least the city and state, there's no easy way to tell, but if you're fond of dining at independent “mom-and-pop” restaurants, it wouldn't hurt to check the list in case any of the company names sound familiar.