As part of the latest installment of American chain stores falling victim to major security breaches, gourmet sandwich chain Jimmy John’s has recently confirmed that a hacker infiltrated its POS system and stole thousands of customer credit card and debit card numbers. An official company statement reports that the breach occurred between June 16th and September 5th (but since the statement also notes that the company found out about the breach on July 30th, it’s likely that the initial hack occurred during June or July).
The statement also reports that 216 individual Jimmy John’s stores in 37 states have been affected by the breach, and that log-in credentials were stolen from Jimmy John’s POS vendor and used “to remotely access the point-of-sale systems at some corporate and franchised locations,” thereby accessing credit card and debit numbers of customers. Only swiped cards — not card numbers that were entered manually or via online transactions — appear to have been compromised by this particular hack, the statement says. In addition to the card number, additional information attached to the credit account may have been stolen, including the cardholder’s name, account number, verification code, and card expiration date.
According to the official Jimmy John’s statement, a third party investigation team was hired immediately after the breach was reported to company executives. The statement also said that while the investigation is still ongoing, cards used after September 5th in any Jimmy John’s locations are at no risk of being compromised.
Now that the official statement has been released, many consumers are wondering how the breach happened in the first place, and how, if the company was made aware of the breach on July 30th and immediately hired an investigation firm, it could be possible that card numbers were stolen as late as September 5th. Furthermore, customers aren’t happy that the company took so long to make an official statement (which was released on September 24th).
Considering that multiple chain stores (like Target and The Home Depot) have been the victims of high-profile security breaches recently, American consumers are becoming increasingly concerned that stores may not be taking every possible preventative measure to ensure that customer information is protected.
“Credit card fraud is a real concern with every retailer these days,” says Mike Gross of Retail Management Solutions. “From our perspective, system security is central to everything we do with our pharmacy POS solutions. Several years ago, we implemented finger print technology for user log-in, and most recently, are now offering End-to-End credit card encryption, that encrypts the customer’s credit card from the point it’s swiped to the point it is processed for approval from the credit card processor. This way, nothing can intervene with payment process.”
While the breach investigation continues, Jimmy John’s states that preventative measures will be implemented as soon as possible in order to reduce the risk of a security breach happening again; these steps include “installing encrypted swipe machines, implementing system enhancements, and reviewing [the] policies and procedures for [Jimmy John’s] third party vendors.” Along with providing customers with a full list of compromised stores and complete details about the security breach, the company is reportedly offering to pay for 12 months of identity protection service for any customers who were affected.