Jimmy John’s Gourmet Sandwiches said Wednesday that payment card data was breached at about 216 restaurants between June and September.
The Champaign, Ill.-based operator has set up a website to answer questions and offered identity protection services to affected customers, which apparently span locations in 40 states.
“While the investigation is ongoing, it appears that customers' credit and debit card data was compromised after an intruder stole log-in credentials from Jimmy John's point-of-sale vendor and used these stolen credentials to remotely access the point-of-sale systems at some corporate and franchised locations,” the company said in a statement.
Jimmy John’s said it first learned of the security breach on July 30 and hired third-party forensic experts to assist with its investigation. The skimming of credit card information occurred between June 16 and Sept. 5, the company said.
“The security compromise has been contained, and customers can use their credit and debit cards securely at Jimmy John's stores,” the company said.
The company on its new security website said the malware used in the breach was apparently installed on the point-of-sale devices at most of the locations on July 1, “although a small number of stores were impacted as early as June 16.”
Most units had the malware removed from the POS devices between Aug. 3 and Aug. 5, but a small number of locations had the malware after that date, the company acknowledged.
“The potentially compromised information includes payment card information, such as the cardholder name, debit or credit card numbers, expiration date, and verification code,” the company said. “Jimmy John’s does not collect its customers’ Social Security numbers, and the computer system containing information such as customer email addresses and passwords was not a part of this event and remains secure.”
The company advised customers to check their credit and debit card statements for “unusual or suspicious activity, and if any is found, report it to your bank or credit card company.”
The company is also offering identity protection services to impacted customers, the details of which can be found on the website.
“Jimmy John's has taken steps to prevent this type of event from occurring in the future, including installing encrypted swipe machines, implementing system enhancements, and reviewing its policies and procedures for its third-party vendors,” the company said.
Restaurant brands have become a frequent target for data thieves. In August, Scottsdale, Ariz.-based P.F. Chang’s China Bistro Inc. said credit card data might have been stolen from 33 of its full-service domestic Bistro restaurants between Oct. 19, 2013, and June 11, 2014.
Later that month, Minneapolis-based American Dairy Queen Corp. reported that it was investigating, along with federal authorities, “suspicious activity” linked to payment cards used at some of its restaurants.
In Nation’s Restaurant News’ annual Top 100 census, Jimmy John’s had an estimated $1.5 billion in U.S. systemwide sales, and 1,802 units domestically.
Contact Ron Ruggless at [email protected].
Follow him on Twitter: @RonRuggless