Hackers have struck the quick-service industry again. Jason’s Deli announced that a “large quantity of payment card information” was being sold on the dark web, and at least a portion of the data was pulled from Jason’s Deli locations. While the investigation is still underway, as many as two million credit card numbers may have been compromised.
The company was notified December 22 and said, “management immediately activated our response plan, including engagement of a leading threat response team, involvement of other forensic experts, and cooperation with law enforcement.”
Jason’s Deli said RAM-scraping malware targeted a number of its point-of-sales systems at corporate-owned locations beginning June 8. The brand said the security breach has been contained.
The story was initially reported by KrebsonSecurity. The site said cards used at Jason's Deli were being sold on carding store Joker's Stash Dynamittte in a fresh batch of seven million cards. Read more about the breach here.
“While this information varies from card issuer to card issuer, full track data can include the following: cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code. However, it should be noted that the cardholder verification value that may have been compromised is not the same as the three-digit value printed on the back of certain payment cards (e.g., Discover, MasterCard, and Visa) or the four-digit value printed on the front of other payment cards (e.g., American Express). In addition, the track data does not include personal identification numbers (“PINs”) associated with debit cards,” Jason’ Deli said in a statement.
Jason’s Deli is the latest restaurant company to face a breach. This past October, Pizza Hut announced that a “small percentage” of its customers were affected by a “temporary security intrusion.” In September, Sonic Drive-In revealed that it was the target of a security breach. In May, Chipotle announced a security issue hit “most” of its locations. Arby’s said in February that potentially more than 355,000 customers’ credit cards could have been compromised.
More than a thousand Wendy’s locations were impacted by a major card breach in July 2016, an issue that proved costly for card-issuing banks and credit unions, KrebsOnSecurity points out. Wendy’s needed months to fix the situation, partly because of the brand’s large corporate-owned structure.