The Jimmy John’s sandwich chain confirmed earlier this week that the compromise of one its third-party payment vendors, Signature Systems, beginning early June led to the exposure of customer information at 216 stores nationwide.
However, the point-of-sale vendor has now reported that the breach is bigger than originally anticipated, affecting 108 additional independent restaurants not affiliated with Jimmy John’s.
In a notice posted on Signature System’s site, the vendor stated:
“We were alerted to a potential issue at one restaurant on July 30, 2014. We immediately began an investigation and found malware on a POS device at that restaurant that had not been detected by the restaurant’s anti-virus program. We removed the malware and engaged a leading computer security firm to investigate every POS system and help us implement enhanced security measures.”
Signature Systems also stated that the intrusion was carried out by the attacker gaining access to a username and password used by the vendor to remotely access POS systems. The attacker was then able to install malware that captured customer’s payment card data, including cardholder’s name, card number, expiration date and verification code from the magnetic strip.
The 100+ restaurants affected appear to be mostly small, local shops around New England—NY, NJ, PA, MD, CT, VA—and the Midwest—IL, IN, MO, WI. Jimmy John’s also released a list of the 216 stores across the country compromised between June 16, 2014 and Sept. 5, 2014.
Signature Systems added it has been working with the credit card networks and law enforcement to determine affected users and prevent fraudulent transactions or issue new cards.
“We are confident that the additional security measures blocked the attack and you can feel confident in continuing to use your card at the affected restaurants,” said Signature Systems.
Meanwhile, the company suggests potentially affected customers remain vigilant by reviewing account statements and credit reports for any unauthorized activity.