Jason’s Deli warned customers Thursday that data from as many as 2 million payment cards may have been compromised in a point-of-sale system breach that began on June 8 and may have continued through much of December.
Jason’s Deli, owned by Beaumont, Texas-based Deli Management Inc., said payment card processors found card data linked to about 164 of its 264 locations for sale on the dark web and alerted the company on Dec. 22. The affected locations are in 15 states, according to a breach alert posted on the chain’s website.
“Based on the facts known to Jason’s Deli at this time, we believe that the criminals used the malware to obtain payment card information off of the POS terminals beginning on June 8, 2017,” the company said in a statement. “Our investigation has determined that approximately 2 million unique payment card numbers may have been impacted.”
The compromised data did not include personal identification numbers or back-of-card security codes, Jason’s Deli said.
The company said investigators were discovering more about how the breach occurred.
“From our initial investigation findings, criminals deployed RAM-scraping malware on a number of our point-of-sales terminals at various corporate-owned Jason’s Deli restaurants,” the company said. “During the course of the investigation, our response team contained the security breach and has also disabled the malware in all of the locations where it was discovered.”
The company offered a list of locations that may have been affected at the data breach website.
Restaurant brands increasingly have been targets of hackers, some for general information and others for payment card data.
In mid-October, Pizza Hut warned that about 60,000 customers may have had their personal information compromised in a “third-party security intrusion.” The Plano, Texas-based division of Yum! Brands Inc. sent emails to customers, saying the hack of its website and mobile app occurred in a 28-hour period from the morning of Oct. 1 to midday Oct. 2.
Earlier in October, Oklahoma City-based Sonic Corp. said it was the victim of a data breach that reportedly resulted in the potential theft of “millions” of customer credit and debit card numbers. The Krebs on Security blog said the Sonic breach could involve as many as 5 million credit and debit cards.
Other restaurant chains reporting data security incidents in 2017 included Arby’s, Chipotle Mexican Grill and Shoney’s.
Jason’s Deli ranked No. 75 in Nation’s Restaurant News’ 2017 Top 100 census with an estimated $646.6 million in systemwide sales for the fiscal year ended December 2016.
Contact Ron Ruggless at [email protected]
Follow him on Twitter: @RonRuggless