POS manufacturer Signature Systems has confirmed a data breach affecting card information across 216 Jimmy John sandwich shops has also affected other restaurants in its US network.
The sandwich chain POS breaches were discovered at the end of July, whereupon they were investigated. Signature Systems has now confirmed that card details from other restaurants using its POS system have also been compromised.
Malware was installed when a hacker gained remote access to the system with a username and password, enabling cardholder data to be captured. It has not been made known how the person acquired the log-in credentials.
Six days later the malware was removed from all but "a small percentage". The remaining affected systems were fixed mid-September.
In a statement, Signature Systems said:
"The unauthorised person used that access to install malware designed to capture payment card data from cards that were swiped through terminals in certain restaurants. The malware was capable of capturing the cardholder’s name, card number, expiration date, and verification code from the magnetic stripe of the card. This incident affected 216 Jimmy John’s stores and 108 other restaurant locations."
According to payments security association PCI Security Standards Council, Signature Systems’ PDQ POS was not approved for new installations after 28 October 2013 and the company could face penalties as a result. Jimmy John’s sandwich chain has 1,900 outlets across the US.