Sandwich chain Jimmy John’s, with more than 1,900 stores across the U.S., appears to be the latest common-point-of-purchase retail data breach victim, with KrebsOnSecurity reporting a large-scale card-present fraud. That means someone is using cloned payment cards to buy an awful lot of hoagies.
The chain has said little, but did e-mail the security site a short statement merely confirming that they are looking into something: ““Jimmy John’s is currently working with the proper authorities and investigating the situation. We will provide an update as soon as we have additional information,” is that statement, according to the Krebs report.
The report notes that Jimmy John’s is overwhelmingly (about 98 percent) owned by franchisors, which can mean that the problem may not be a centralized one per se. Some franchise chains that have been involved in large-scale data breaches—such as Subway—have complained that franchise owners will often buy low-security low-cost systems, often against the request of the chain.
In this instance, though, it appears that many of the chain’s stores were using the same POS system, one from Signature Systems Inc., which had been recommended by Jimmy John’s, Krebs reported. Cyberthieves will often focus on stores using the same POS system, so they can accordingly tweak their attack methods.
The report, however, said that Jimmy John’s appeared to be the common point of purchase with frauds being detected by various financial institutions. That would suggest that someone had cracked into the chain’s systems and used that information to create card clones.