Blog

Jimmy John - Signature Systems - PDQPOS.

Posted by Admin on September 29, 2014

Signature Systems Acts to Block Payment Card Security Incident

Signature Systems, Inc. provides point-of-sale (POS) systems for restaurants. We were alerted to a potential issue at one restaurant on July 30, 2014. We immediately began an investigation and found malware on a POS device at that restaurant that had not been detected by the restaurant’s anti-virus program. We removed the malware and engaged a leading computer security firm to investigate every POS system and help us implement enhanced security measures.

How did this happen?

We have determined that an unauthorized person gained access to a user name and password that Signature Systems used to remotely access POS systems. The unauthorized person used that access to install malware designed to capture payment card data from cards that were swiped through terminals in certain restaurants. The malware was capable of capturing the cardholder’s name, card number, expiration date, and verification code from the magnetic stripe of the card.

What restaurants are affected?

This incident affected 216 Jimmy John’s stores and 108 other restaurant locations. The time frame during which payment cards may have been captured at an affected restaurant varies across the affected locations. June 16 is the earliest date that cards were at risk at certain locations. After learning of the potential issue on July 30, by August 5, we had removed the malware from most of the affected locations. For a small percentage, we were not able to completely remove the malware from all devices in the system until mid-September.

What are we doing?

We wanted to let you know about this incident as soon as we could. Because we cannot identify which specific cards were actually taken and we do not have the names or addresses of any potentially affected customers, a list of the affected restaurants and at risk time frames is below.

If you used your card at one of those stores during the listed time and see a fraudulent charge on your card, please immediately contact the bank that issued your card. Major credit card companies typically guarantee that cardholders will not be responsible for fraudulent charges. Please review your account statements for any unauthorized activity regularly. You should also review the “More Information on Ways to Protect Yourself” section below.

We have also been working with the credit card networks and law enforcement. By identifying which cards may be at risk and notifying the credit card networks, they can work with the banks that issued those cards to prevent fraudulent transactions or to issue new cards. We are confident that the additional security measures blocked the attack and you can feel confident in continuing to use your card at the affected restaurants.

We deeply regret any inconvenience this may cause. If you have questions please call us at 877.235.0923, Monday through Friday, 9 a.m. to 7 p.m.

Frequently Asked Questions

How did this happen?

An unauthorized person used a remote access tool to access the computers in the restaurants’ that operate the point-of-sale systems and installed malware designed to capture payment card data. The malware was designed to avoid detection by the anti-virus programs running on the point-of-sale systems.

When did you discover this?

We were first alerted to a potential issue affecting one restaurant location on July 30, 2014 and have been working hard ever since to determine what occurred, block it from continuing, implement enhanced security measures, and notify the affected merchants.

Why did you wait until now to tell me?

Forensic investigations take time, and we wanted to be sure we had accurate and reliable information regarding what happened and what was being done to prevent it from happening in the future.

How many people were affected?

Although we know the affected locations and time frames when cards were at risk, we do not have access to transaction information that would let us know how many cards were used in those stores during the at risk times.

Store List

Jimmy John’s has posted a list of affected stores and time frames on its website www.jimmyjohns.com
The other affected restaurants and time frames are:

 

StoreEarliest At RiskLatest At Risk
Roman Delight - Southampton, PA 6/23/2014 10:37 AM 6/26/2014 2:03 AM
Antonellis Pizza - Lorton, VA 6/17/2014 9:32 AM 7/17/2014 10:29 PM
Italian Touch - Broadway, VA 6/19/2014 7:02 AM 7/25/2014 7:38 PM
Lost Pizza Co. - Southaven, MS 6/23/2014 6:54 AM 7/30/2014 4:02 AM
Lost Pizza Co. - Tupelo, MS 6/23/2014 7:04 AM 7/312014 1:09 AM
Pizza King - North - Rushville, IN 6/23/2014 9:47 AM 8/1/2014 3:15 PM
Joe's Pizza and Pasta - Dupo, IL 6/19/2014 7:36 AM 8/1/2014 8:08 PM
Lott-A-Freeze - Indianola, MS 6/23/2014 7:13 AM 8/1/2014 8:42 PM
Springdale Pizza - Stamford, CT 6/24/2014 7:25 AM 8/1/2014 9:03 PM
Skin Flints - Brooklyn, NY 6/24/2014 7:04 AM 8/1/2014 9:05 PM
Grecco's Pizza - Bedford, IN 6/19/2014 6:38 AM 8/1/2014 9:39 PM
Blue Moon Bakery - Big Sky, MT 6/18/2014 6:15 AM 8/1/2014 9:45 PM
SaraBella Pizzeria & Desserts - Albany, NY 6/24/2014 6:52 AM 8/1/2014 9:47 PM
Mister Jim's Submarines - Chesapeake, VA 6/23/2014 7:55 AM 8/1/2014 9:59 PM
Paisano's Pizza - Rockville, MD 6/17/2014 8:06 AM 8/1/2014 9:59 PM
Pizza King - Rushville, IN 6/23/2014 9:42 AM 8/1/2014 10:06 PM
Angelina's Pizzeria & Restaurant - Hackensack, NJ 6/17/2014 9:23 AM 8/1/2014 10:09 PM
Giuseppe's Pizza - New Hope, PA 6/18/2014 8:37 AM 8/1/2014 10:09 PM
Piero's Italian Restaurant - Huntingdon Valley, PA 6/17/2014 7:22 AM 8/1/2014 10:10 PM
Bagel Boys - Ramsey, NJ 6/17/2014 6:59 AM 8/1/2014 10:18 PM
Donatis Pizza - Lake Forest, IL 6/18/2014 7:44 AM 8/1/2014 10:17 PM
Glenside Pizza - Glenside, PA 6/18/2014 8:41 AM 8/1/2014 10:19 PM
DeNiros Pizza & Subs - Baltimore, MD 6/18/2014 7:00 AM 8/1/2014 10:19 PM
Luigis Pizzarama - Elkins Park, PA 6/23/2014 7:15 AM 8/1/2014 10:21 PM
Warrington Pizza - Warrington, PA 6/25/2014 7:32 AM 8/1/2014 10:23 PM
Wings to Go - Fairless Hills, PA 6/25/2014 7:38 AM 8/1/2014 10:28 PM
The Pizza Shop II - Fishkill, NY 6/23/2014 9:50 AM 8/1/2014 10:34 PM
Spatola's - Paoli, PA 6/24/2014 7:22 AM 8/1/2014 10:38 PM
Casa D'Amico - Stratford, NJ 6/18/2014 6:34 AM 8/1/2014 10:40 PM
Wings to Go - Feasterville, PA 6/25/2014 7:45 AM 8/1/2014 10:41 PM
Friends Bar & Grill, Newtown, PA 6/18/2014 7:16 AM 8/1/2014 10:42 PM
Paisano's Kingstowne - Alexandria, VA 6/17/2014 7:57 AM 8/1/2014 10:45 PM
Joanie's - St. Louis, MO 6/19/2014 7:29 AM 8/1/2014 10:52 PM
Hambinos Pizza Co - Bristol, TN 6/19/2014 2:43 AM 8/1/2014 11:59 PM
Joe's Pizza - Greenville, IL 6/19/2014 8:05 AM 8/1/2014 11:59 PM
Middle River Pizzeria - Middle River, MD 6/23/2014 7:53 AM 8/1/2014 11:59 PM
Tony's NY Pizza - Fairfax, VA 6/25/2014 6:51 AM 8/2/2014 1:33 AM
Uncle Paul's Pizza - New York, NY 6/17/2014 9:00 AM 8/2/2014 9:56 AM
The Corner Café - Huntingdon Valley, PA 6/17/2014 7:21 AM 8/2/2014 1:07 PM
Paisano's Pizza - Fairfax, VA 6/17/2014 7:50 AM 8/2/2014 1:40 PM
Pizza Classica - Ridgewood, NY 6/23/2014 9:39 AM 8/2/2014 2:54 PM
Paisano's - Gainesville, VA 6/17/2014 7:53 AM 8/2/2014 3:05 PM
Paisano's - Herndon, VA 6/17/2014 7:55 AM 8/2/2014 3:09 PM
Costello's Italian Ristorante - Galloway, NJ 6/18/2014 6:49 AM 8/2/2014 3:39 PM
Uncle Charlie's Pizza - Fairless Hills, PA 6/25/2014 6:59 AM 8/2/2014 3:53 PM
Joes Pizza & Pasta - Edwardsville, IL 6/19/2014 8:04 AM 8/2/2014 3:55 PM
Paisano's - Chantilly, VA 6/17/2014 7:35 AM 8/2/2014 3:58 PM
Romanellis - Madison, NJ 6/23/2014 10:40 AM 8/2/2014 4:07 PM
Rosatis - Springfield, MO 6/17/2014 8:41 AM 8/2/2014 4:09 PM
Paisano's Pizza - Vienna, VA 6/17/2014 8:23 AM 8/2/2014 4:12 PM
Paisano's Pizza - Annandale, VA 6/17/2014 7:37 AM 8/2/2014 4:21 PM
Uncle Oogie's - Warminster, PA 6/25/2014 7:03 AM 8/2/2014 4:22 PM
Tonelli's - Horsham, PA 6/25/2014 6:45 AM 8/2/2014 4:31 PM
Community Pizza - Fort Dodge, IA 6/18/2014 6:42 AM 8/2/2014 4:32 PM
Fat Boys Pizza - Holt, MI 6/18/2014 8:03 AM 8/2/2014 4:34 PM
Pizza Tugos - Ocean City, MD 6/23/2014 10:10 AM 8/2/2014 4:35 PM
Paisano's - Crystal City, VA 6/17/2014 7:47 AM 8/2/2014 4:36 PM
Santucci's - Philadelphia 6/23/2014 8:50 AM 8/2/2014 4:37 PM
Pizzeria Scotty, Milwaukee, WI 6/23/2014 10:28 AM 8/2/2014 10:20 PM
Paisano's - Manassas, VA 6/17/2014 7:58 AM 8/3/2014 4:36 AM
Paisano's Pizza - Ashburn, VA 6/17/2014 7:33 AM 8/3/2014 4:43 AM
Casa D' Mama - Annandale, VA 7/1/2014 6:42 PM 8/3/2014 10:57 AM
Johnnys Pizza - Ocean City, MD 6/23/2014 6:26 AM 8/3/2014 11:12 AM
Paisano's - Woodbridge, VA 6/17/2014 8:27 AM 8/3/2014 10:03 PM
Di Fiores Pizzeria and Italian Restaurant - Neffs, PA 6/18/2014 7:03 AM 8/3/2014 11:42 PM
Paisanos Pizzaria - Reston, VA 6/17/2014 8:05 AM 8/4/2014 1:23 PM
Uncle Joe's Pizza 6/17/2014 7:28 AM 8/4/2014 2:46 PM
Santucci's - Philadelphia, PA 6/24/2014 6:35 AM 8/4/2014 7:54 PM
All Town Pizza - Glenolden, PA 6/17/2014 9:10 AM 8/5/2014 12:01 AM
Paisano's - Fair Lakes, VA 6/17/2014 7:48 AM 8/5/2014 6:21 PM
Dominick's - Parkville, MD 6/18/2014 7:40 AM 8/10/2014 5:23 AM
Wild West Pizzeria - West Yellowstone, MT 6/25/2014 7:30 AM 8/12/2014 7:24 PM
Abate Apizza - East Haven, CT 6/17/2014 9:05 AM 8/14/2014 5:19 PM
Rosati's - Oconomowoc, WI 6/17/2014 8:40 AM 8/18/2014 3:43 PM
Abate Restaurant - New Haven, CT 6/17/2014 9:15 AM 8/18/2014 4:13 PM
Austin's Bar & Grill - Franklin, IN 7/1/2014 6:45 PM 8/20/2014 7:48 PM
Mister P Pizza & Pasta - Philadelphia, PA 6/23/2014 7:59 AM 8/26/2014 3:58 AM
La Fogata - Warminster, PA 6/23/2014 6:34 AM 8/26/2014 5:59 AM
Mario's Pizza - Berea, KY 6/23/2014 7:45 AM 8/26/2014 6:31 AM
Lee's Hoagie House of Horsham - Horsham, PA 7/1/2014 6:46 PM 8/29/2014 6:58 AM
VJ's Diner & Rest-Pizza - Hamilton, NY 6/25/2014 7:30 AM 9/9/2014 3:28 PM
Apollo Pizza - Philadelphia, PA 6/17/2014 9:38 AM 9/18/2014 4:17 AM
Epheseus Pizza - Pittsburgh, PA 6/18/2014 8:00 AM 9/18/2014 2:42 PM
Garden City Pizza - Garden City, NY 6/18/2014 8:20 AM 7/15/2014 4:59 AM
Valentino's Pizza - Sterling, VA 6/25/2014 7:14 AM 8/29/2014 8:29 PM
The Pizza Place and More - Crystal Lake, IL 6/24/2014 7:47 AM 9/9/2014 1:32 PM
Positano's - Franklin Park, IL 6/23/2014 10:31 AM 9/18/2014 12:56 AM
Bella Pizza - Centreville, VA 6/17/2014 7:30 AM *
Paisano's Bailey's Crossing - Falls Church, VA 6/17/2014 7:41 AM *
Rosati's - Tuscon, AZ 6/17/2014 8:38 AM *
Rosatis Pizza Pub - Yorkville, IL 6/17/2014 8:50 AM *
Don Franco's - Apollo Pizza - Sewell, NJ 6/17/2014 9:35 AM *
Brother Bruno's - Hawley, PA 6/18/2014 6:46 AM *
Deniro's - Baltimore, MD 6/18/2014 6:58 AM *
Dolce Carini - Newtown, PA 6/18/2014 7:18 AM *
Dominick's Pizza & Carryout - Parkville, MD 6/18/2014 7:36 AM *
Doreen's Pizzeria II - Dyer, IN 6/18/2014 7:50 AM *
Garlicknot - Littleton, CO 6/18/2014 8:22 AM *
Joes Pizza & Pasta - Altamont, IL 6/19/2014 7:33 AM *
Oreland Pizza - Oreland, PA 6/23/2014 8:15 AM *
Papa Nick's - Philadelphia, PA 6/23/2014 8:43 AM *
Royal Pizza, Columbia, MD 6/24/2014 6:28 AM *
SaraBella - Ballston Spa, NY 6/24/2014 6:54 AM *
Trattoria Peppino - Elmwood Park, IL 6/25/2014 6:53 AM *
*Denotes locations where forensic evidence to conclusively determine when the malware was removed has not yet been identified. The investigation to determine this latest at risk date is ongoing. The attack has been blocked at these locations.

More Information on Ways to Protect Yourself

We recommend that you remain vigilant by reviewing your account statements and credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:

Equifax, PO Box 740256, Atlanta, GA 30374, www.equifax.com,, 1-800-525-6285
Experian, PO Box 9554, Allen, TX 75013 www.experian.com, , 1-800-525-6285
TransUnion, PO Box 6790, Fullerton, CA 92834, www.www.transunion.com, , 1-800-680-7289

If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the attorney general’s office in your home state. Contact information for the Federal Trade Commission is as follows:

Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580 www.ftc.gov, 1-877-438-4338

You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records.

If you are a resident of Maryland, you may contact the Maryland Attorney General’s Office at 200 St. Paul Place, Baltimore, MD 21202, www.oag.state.md.us,1-888-743-0023.If you are a resident of Massachusetts, note that pursuant to Massachusetts law, you have the right to obtain a copy of any police report.

Massachusetts law allows consumers to request a security freeze. A security freeze prohibits a credit reporting agency from releasing any information from your credit report without written authorization. Be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services.

The fee for placing a security freeze on a credit report is $5.00. If you are a victim of identity theft and submit a valid investigative report or complaint with a law enforcement agency, the fee will be waived. In all other instances, a credit reporting agency may charge you up to $5.00 each to place, temporarily lift, or permanently remove a security freeze. If you have not been a victim of identity theft, you will need to include payment to the credit reporting agency to place, lift, or remove a security freeze by check, money order, or credit card.

To place a security freeze on your credit report, you must send a written request to each of the three major reporting agencies by regular, certified, or overnight mail at the addresses below:

Equifax
PO BOX 740241
Atlanta, GA 30374
www.equifax.com
Experian
PO BOX 9554
Allen, TX 75013
www.experian.com
TransUnion
PO BOX 6790
Fullerton, CA 92834
www.transunion.com

In order to request a security freeze, you will need to provide the following information:

  • Your full name (including middle initial as well as Jr., Sr., II, III, etc.)
  • Social Security number
  • Date of birth
  • If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years
  • Proof of current address such as a current utility bill or telephone bill
  • • A legible photocopy of a government issued identification card (state driver's license or ID card, military identification, etc.)
  • If you are a victim of identity theft, include a copy of the police report, investigative report, or complaint to a law enforcement agency concerning identity theft

The credit reporting agencies have three (3) business days after receiving your request to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number ("PIN") or password or both that can be used by you to authorize the removal or lifting of the security freeze.

To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze as well as the identity of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three (3) business days after receiving your request to lift the security freeze for those identified entities or for the specified period of time.

To remove the security freeze, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three (3) business days after receiving your request to remove the security freeze.

If you are a resident of North Carolina, you may contact the North Carolina Attorney General’s Office at 9001 Mail Service Center, Raleigh, NC 27699, www.ncdoj.gov, 1-919-716-6400.If you are a resident of West Virginia, you also have the right to ask that nationwide consumer reporting agencies place "fraud alerts" in your file to let potential creditors and others know that you may be a victim of identity theft. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also may delay your ability to obtain credit. You may place a fraud alert in your file by calling one of the three nationwide consumer reporting agencies. Contact information for each of the three credit reporting agencies is located on the second page of this letter. As soon as that agency processes your fraud alert, it will notify the other two, which then also must place fraud alerts in your file.

You may choose between two types of fraud alert. An initial alert (Initial Security Alert) stays in your file for at least 90 days. An extended alert (Extended Fraud Victim Alert) stays in your file for seven years. To place either of these alerts, a consumer reporting agency will require you to provide appropriate proof of your identity, which may include your Social Security number. If you ask for an extended alert, you will have to provide an identity theft report. An identity theft report includes a copy of a report you have filed with a federal, state, or local law enforcement agency, and additional information a consumer reporting agency may require you to submit. For more detailed information about the identity theft report, visit www.ftc.gov/idtheft/.

You may also obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You have a right to place a security freeze on your credit report pursuant to West Virginia law. The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval.

The security freeze is designed to prevent credit, loans and services from being approved in your name without your consent. When you place a security freeze on your credit report, within five business days you will be provided a unique personal identification number (“PIN”) or password to use if you choose to remove the freeze on your credit report or to temporarily authorize the distribution of your credit report for a period of time after the freeze is in place. To provide that authorization, you must contact the consumer reporting agency and provide all of the following:

  1. The unique personal identification number (“PIN”) or password provided by the consumer reporting agency;
  2. Proper identification to verify your identity; and
  3. The period of time for which the report shall be available to users of the credit report.

A consumer reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report shall comply with the request no later than three business days after receiving the request.

A security freeze does not apply to circumstances in which you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account review, collection, fraud control or similar activities.

If you are actively seeking credit, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze, either completely if you are shopping around or specifically for a certain creditor, a few days before actually applying for new credit.

Posted in: Hospitality

Comments