2 Million Cardholders Affected by Jason's Deli Data Breach
On December 22, 2017, Jason’s Deli said it was notified by payment processors that credit card security personnel that a large quantity of payment card information had appeared for sale on the “dark web,” and that an analysis of the data indicated that at least a portion of the data may have come from various Jason’s Deli locations. Jason’s Deli said its management team immediately activated its response plan, including engagement of a leading threat response team, involvement of other forensic experts, and cooperation with law enforcement. It released a preliminary public statement on December 28, 2017 describing the situation and its initial response.
From its initial investigation findings, criminals deployed RAM-scraping malware on a number of its point-of-sale (POS) terminals at 164 corporate-owned Jason’s Deli restaurants starting on June 8, 2017. During the course of the investigation, its response team contained the security breach and isabled the malware in all of the locations where it was discovered.
What Information Was Involved?
Based on the facts known to Jason’s Deli, the criminals used the malware to obtain payment card information off of the POS terminals beginning on June 8, 2017. The investigation determined that approximately 2 million unique payment card numbers may have been impacted. Specifically, the payment card information obtained was full track data from a payment card’s magnetic stripe. While this information varies from card issuer to card issuer, full track data can include the following: cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code. However, it should be noted that the cardholder verification value that may have been compromised is not the same as the three-digit value printed on the back of certain payment cards (e.g., Discover, MasterCard, and Visa) or the four-digit value printed on the front of other payment cards (e.g., American Express). In addition, the track data does not include personal identification numbers (“PINs”) associated with debit cards.