Breach that affected Jimmy John’s hit 108 more eateries

By Chad Hemenway on September 28, 2014

SignatureSystems200x200Signature Systems Inc, the point-of-sale provider used by recently-breached sandwich chain Jimmy John’s, said more than 100 other restaurant locations could be affected by an unauthorized access to its remote system.

According to the Newtown, Pa.-based software/hardware company’s website, it is “dedicated to providing the most effective, efficient and easy to operate restaurant point of sale system on the market.” But now it also said an authorized person somehow gained access to a username and password used to remotely get into POS systems.

This affected 216 Jimmy John’s stores—which was revealed last week.

This affected 216 Jimmy John’s stores—which was revealed last week.

An additional 108 other restaurant locations—most pizzerias and/or Italian restaurants—from Big Sky, Montana to Hackensack, New Jersey have been affected by this incident, Signature said.

However, the POS provider said the time-frame payment cards were exposed varies by each location. It said June 16 is the earliest date it has seen.

The company was originally notified a the breach at one restaurant on July 30 and discovered malware on its POS system. Jimmy John’s said it learned of a breach on July 30 and its investigation revealed the digital break-in lasted from June 16—September 5.

Signature said it removed malware–designed to avoid detection by anti-virus programs–from most affected locations by August 5, although it could not completely remove the malware from all devices until mid-September. Signature said customers can be confident to use payment cards at the affected restaurants.

“We wanted to let you know about this incident as soon as we could,” said a statement from Signature, who added a list of affected restaurants “because we cannot identify which specific cards were actually taken and we do not have the names and address of any potentially affected customers.”

The company said it does not have access to information to estimate how many cards were used in the affected stores from mid-July to mid-September.

Signature said it is working with law enforcement and credit card networks during the investigation.

Addressing the anticipated question of why it took this long to tell the public, Signature said: “Forensic investigations take time, and we wanted to be sure we had accurate and reliable information regarding what happened and what was being done to prevent it from happening in the future.”

Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or chemenway@advisen.com.