News

Jimmy John's confirms data breach

Intruders gained access to data via stolen POS login credentials.

September 24, 2014

Jimmy John's has confirmed that customer credit and debit card data was potentially compromised between June 16 and Sept. 5, according to a statement issued by the company.

According to the statement, Jimmy John's was alerted to the possible breach on July 30. Krebs on Security first broke the news of a possible breach on July 31.

It hired third-party forensic experts to investigate. Early results of the investigation indicate the following:

• Customers' credit and debit card data was compromised, including card number and in some cases the cardholder's name, verification code, and/or the card's expiration date.
• The intruder gained access using stolen login information from Jimmy John's POS vendor.
• The stolen login credentials were used to remotely access the POS systems at some corporate and franchise locations.
• A total of 216 stores have been affected. The locations and dates of exposure for each affected Jimmy John's location are listed on www.jimmyjohns.com.
• Only cards swiped at those stores have potentially been compromised. Cards entered manually and online purchases are not affected.

The investigation is ongoing.

In a statement, Jimmy John's said the compromise has now been contained.

"Jimmy John's has taken steps to prevent this type of event from occurring in the future, including installing encrypted swipe machines, implementing system enhancements, and reviewing its policies and procedures for its third party vendors," a company spokesperson said in the statement.

Jimmy John's is urging customers to monitor their accounts and notify their banks if they notice any suspicious activity. Jimmy John's is also offering identity protection services to impacted customers.