Update on Jason’s Deli breach: 2 million impacted

There’s an update to the Jason’s Deli breach noted previously on this site.   As of January 11, the firm posted on its site: On December 22, 2017, Jason’s Deli was notified by payment processors that credit card security personnel had informed it that a large quantity of payment card information had appeared for sale on the “dark web,” and that an analysis of the data indicated that at least a portion of the data may have come from various Jason’s Deli locations. Jason’s Deli’s management immediately activated our response plan, including engagement of a leading threat response team, involvement of other forensic experts, and cooperation with law enforcement. We released a preliminary public statement on December 28, 2017 describing the situation and our initial response. From our initial investigation findings, criminals deployed RAM-scraping malware on a number of our point-of-sales (POS) terminals at various corporate-owned Jason’s Deli restaurants (see below for a list) starting on June 8, 2017. During the course of the investigation, our response team contained the security breach and has also disabled the malware in all of the locations where it was discovered. What Information Was Involved? Based on the facts known to Jason’s Deli at this time, we believe that the criminals used the malware to obtain payment card information off of the POS terminals beginning on June 8, 2017. Our investigation has determined that approximately 2 million unique payment card numbers may have been impacted. Specifically, the payment card information obtained was full track data from a payment card’s magnetic stripe. While this information varies from card issuer to card issuer, full track data can include the following: cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code. However, it should be noted that the cardholder verification value that may have been compromised is not the same as the three-digit value printed on the back of certain payment cards (e.g., Discover, MasterCard, and Visa) or the four-digit value printed on the front of other payment cards (e.g., American Express). In addition, the track data does not include personal identification numbers (“PINs”) associated with debit cards. What Are We Doing? Since the breach was discovered, Jason’s Deli has worked closely with third-party forensics and cyber security firms, as well as federal law enforcement, to investigate and contain the breach. You can read the full notice here. A listing of potentially affected Jason’s Deli locations appears under their notice on that page. Thanks to @fanCRTCProfling for calling this to my attention.

Statement of Jason’s Deli Regarding Customer Financial Data

Jason’s Deli (www.jasonsdeli.com) is a family owned business known for high-quality food and catering services for over 40 years. It is headquartered in Texas and operates or franchises 266 restaurants in 28 states, with a reputation for award-winning quality and a strong relationship with our customers. On Friday, Dec. 22, 2017, our company was notified by payment processors – the organizations that manage the electronic connections between Jason’s Deli locations and payment card issuers – that MasterCard security personnel had informed it that a large quantity of payment card information had appeared for sale on the “dark web,” and that an analysis of the data indicated that at least a portion of the data may have come from various Jason’s Deli locations. Jason’s Deli’s management immediately activated our response plan, including engagement of a leading threat response team, involvement of other forensic experts, and cooperation with law enforcement. Among the questions that investigators are working to determine is whether in fact a breach took place, and if so, to determine its scope, the method employed, and whether there is any continuing breach or vulnerability. The investigation is in its early stages and, as is typical in such situations, we expect it will take some time to determine exactly what happened. Jason’s Deli will provide as much information as possible as the inquiry progresses, bearing in mind that security and law enforcement considerations may limit the amount of detail we can provide. In the meantime, customers should monitor their payment card accounts carefully and report any suspicious activity to their card issuer. Customers or financial institutions with any questions should contact [email protected] or 409-838-1976. Jason’s Deli recognizes that the security of credit and debit card transactions is of the utmost importance to our customers. We have, over the years, continually reviewed and periodically strengthened our security systems, as have other retailers, to meet the constant challenge of sophisticated criminal activity. We will continue that process, and will carefully consider whatever further changes may be appropriate after a thorough forensic review of this event and our payment security systems. We appreciate the dedication of our employees and others who are working during their Christmas break to respond to this matter and protect our customers, and we thank them and their families for their sacrifice. Most importantly, we appreciate the trust our customers place in us, and we regret any inconvenience that some may experience, especially during the holidays. Thank you for your support and understanding. Nice of them to thank the employees like that. If this is confirmed as a breach of their system, this would not be the first time.  In September, 2010, this site reported on a malware incident involving them.

(Follow-up) Secret Service: Computer virus to blame for Jason’s Deli thefts

Janice Broach reports: Investigators believe credit and debit card thefts at the Jason’s Deli on Ridgeway in Memphis are linked to a virus that infected computers at the restaurant. “The computers received a virus that was unknown before this event,” Special Agent Rick Harlow of the U.S. Secret Service said Tuesday. “It was a new variation of an older virus. No virus program that we ran against it found it.” Dozens of customers have reported in recent weeks that their credit or debit card numbers were stolen after being used at the restaurant. Since word of the thefts began to spread, business has dropped by nearly 50 percent, according to store owner Kent Holt. At a press conference held outside the restaurant, Harlow said investigators are still not sure how the virus infected computers there. “It was not Jason’s Deli’s fault that this occurred,” he said. Read more on WMC-TV

TN: Identity Theft Hits Customers of Mid-South Deli

Natasha Chen reports: Some customers who have recently purchased items at Jason’s Deli found suspicious activity on their credit or debit accounts, some of which is occurring out of state. […] The Memphis Police Department said that they have an open investigation right now, with three victims reporting unauthorized charges on their credit/debit card accounts. A spokesperson stated, “The last place all three victims reported using their credit cards was at Jason’s Deli.” One of the partners of Jason’s Deli and the general manager of the 1199 Ridgeway Rd. location declined to speak on camera. But the partner, Kent Holt, gave News Channel 3 this statement: “On Friday Aug. 20th it was brought to my attention that there were some credit cards that have been compromised. The IT department was notified, and reacted immediately, and for extra measure added another layer of security. If we find any wrongdoing we will report it to the appropriate authorities and cooperate thoroughly with their investigation. At this time we have no further comment pending an ongoing investigation.” Read more on WREG.