Cyber Incident Victim: Jimmy John's
Date:
Jun 2014
Location:
United States of America
Summary
Hackers compromised a point-of-sale vendor's remote access credentials, installing malware on systems at numerous restaurant locations including over 200 Jimmy John's outlets, leading to theft of payment card details from magnetic stripes. The breach affected nearly 100 additional independent establishments and involved non-compliant POS software, prompting remediation efforts like malware removal, two-factor authentication implementation, and development of encrypted payment technology to prevent future incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The breach impacting Jimmy John’s sandwich shops originated from compromised remote access credentials at Signature Systems Inc., a Pennsylvania-based point-of-sale (POS) vendor. Between June 16 and September 5, 2014, attackers used stolen usernames and passwords to remotely install malware on cash registers across 216 Jimmy John’s locations. This malware captured cardholder names, card numbers, expiration dates, and verification codes directly from the magnetic stripes of payment cards swiped at infected terminals. Jimmy John’s publicly confirmed the intrusion on September 14, 2014, following initial suspicions raised by security researchers in late July. Signature Systems subsequently disclosed that the same attack compromised nearly 100 additional independent restaurants nationwide, primarily small pizza shops and eateries using its PDQ POS systems. The vendor acknowledged that attackers leveraged its remote access credentials to deploy the card-stealing malware, exposing payment data across all affected businesses during the nearly three-month intrusion window.
Investigations revealed compliance concerns regarding Signature Systems’ PDQ POS software, which had lost its PCI Security Standards Council approval for new installations after October 28, 2013. Thirteen Jimmy John’s locations deployed the non-compliant POS systems after this deadline, potentially exposing them to fines. Jimmy John’s responded by replacing these systems with PCI-compliant terminals, implementing daily malware scans across all stores, removing the malicious software from infected registers, and enforcing dual-factor authentication for remote POS access. The company also adopted encrypted swipe technology to prevent future card data theft from magnetic stripes. Signature Systems concurrently developed a new payment application featuring point-to-point encryption to neutralize POS malware threats. Security audits of PDQ POS faced additional scrutiny, as the firm responsible for its prior validation—Chief Security Officers—had its PCI certification authority revoked before the breach. The incident underscored systemic vulnerabilities in third-party POS vendor security practices and their downstream impacts on franchise operators.