Cyber Incident Victim: Jersey Mike's Subs

On July 31, 2018, Jersey Mike’s Subs initiated customer notifications via email regarding potential unauthorized access to online accounts. The company advised recipients to reset their passwords as a precautionary measure, citing evidence that customer email addresses and passwords might have been obtained from a third-party source unrelated to Jersey Mike’s systems. The notification explicitly stated the breach did not originate from Jersey Mike’s infrastructure but likely resulted from credential reuse across multiple platforms. Customers were warned that unauthorized parties could leverage these externally compromised credentials to access Jersey Mike’s accounts. The company’s communication emphasized proactive security measures while distancing itself from direct responsibility for the credential exposure. No specific details were provided regarding the number of affected accounts, the timeframe of potential unauthorized access, or the identity of the implicated third party.

The incident reflected broader cybersecurity challenges within the food service industry, where credential-stuffing attacks and third-party vendor vulnerabilities frequently compromise customer accounts. Jersey Mike’s response aligned with common industry practices following credential exposure, focusing on password resets without disclosing operational specifics about attack vectors or forensic findings. Historical context from contemporaneous breaches—including PDQ’s credit card exposure, Typeform’s impact on Baker’s Delight and Fortnum & Mason, and Buffalo Wild Wings’ social media compromise—illustrated recurring threats to food-sector entities. Jersey Mike’s public communications did not reference financial fraud, data exfiltration, or system downtime as direct consequences. The absence of subsequent disclosures suggests the incident remained confined to credential-based risks without escalating to confirmed data theft or systemic network intrusion.