Sources at a growing number of financial institutions in the United States say they are tracking a pattern of fraud that indicates nationwide sandwich chain Jimmy John’s may be the latest retailer dealing with a breach involving customer credit card data. The company says it is working with authorities on an investigation.
Multiple financial institutions tell KrebsOnSecurity that they are seeing fraud on cards that have all recently been used at Jimmy John’s locations.
Champaign, Ill.-based Jimmy John’s initially did not return calls seeking comment for two days. Today, however, a spokesperson for the company said in a short emailed statement that “Jimmy John’s is currently working with the proper authorities and investigating the situation. We will provide an update as soon as we have additional information.”
The unauthorized card activity witnessed by various financial institutions contacted by this author is tied to so-called “card-present” fraud, where the fraudsters are able to create counterfeit copies of stolen credit cards.
Beyond ATM skimmers, the most prevalent sources of card-present fraud are payment terminals in retail stores that have been compromised by malicious software. This was the case with mass compromises at previous nationwide retailers including Target, Neiman Marcus, Michaels, White Lodging, P.F. Chang’s, Sally Beauty and Goodwill Industries (all breaches first reported on this blog).
According to the company’s Wikipedia page, there are more than 1,900 Jimmy John’s stores in at least 43 states. Nearly all Jimmy John’s locations (~98 percent) are franchisee-owned, meaning they are independently operated and may not depend on common information technology infrastructure.
However, multiple stores contacted by this author said they ran point-of-sale systems made by Signature Systems Inc. The company’s PDQ QSR point-of-sale product is apparently recommended as the standard payment solution for new Jimmy John’s franchise owners nationwide. Signature Systems did not immediately return calls for comment.
Reports of a possible card compromise at Jimmy John’s comes amid news that the Delaware Restaurant Association is warning its members about a new remote-access breach that appears to have been the result of compromised point-of-sale software.
Update: An earlier version of this story incorrectly stated that Jimmy John’s was based in Charleston, Ill.; rather, it was founded there. The copy above has been corrected.