BreachExchange mailing list archives
Jimmy John’s security breach latest test of consumer notice
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 29 Sep 2014 18:47:51 -0600
http://www.sj-r.com/article/20140928/News/140929507 Companies must provide notification to customers of credit and debit card security breaches within a reasonable time under Illinois law. In the case of Jimmy John’s, the sandwich chain learned July 30 of a data breach at more than 200 stores, but it wasn’t announced until Wednesday. Restaurants at 3128 S. Sixth St. and 2925 Iles Ave. in Springfield were among stores hit, according to the company. “There’s a reason,” Illinois Attorney General Lisa Madigan told The State Journal-Register. “We don’t want to undermine any type of criminal investigation. We want to be able to determine the source of the breach.” Madigan’s office is leading an investigation into the Jimmy John’s security breach. The two-month period between discovery and public announcement at Jimmy John’s is not uncommon, said Madigan, who is seeking re-election in November. “Under Illinois law, they are required to provide notice within the most expedient time possible and without unreasonable delay,” she said. Madigan said companies could face penalties if unnecessary delays were found or if insufficient steps were taken to protect consumer data. The Federal Trade Commission also announced earlier this year it would seek more authority to enforce security improvements, including consumer-notification requirements. Jimmy John’s, based in Champaign, said in an announcement that steps were taken to protect customers. Debit and credit card purchases made between June 16 and Sept. 5 were affected. A message left with Jimmy John’s representatives was not returned Friday, but the company posted a statement on its website, jimmyjohns.com, that said the breach was contained and customers could safely use debit and credit cards for purchases. The company said login credentials for its point-of-sale system were stolen from a third-party vendor. Jimmy John’s has hired independent experts to investigate the break-in, according to the statement. “Jimmy John’s has taken steps to prevent this type of event from occurring in the future,” the statement said, “including installing encrypted swipe machines, implementing system enhancements, and reviewing its policy and procedures for third-party information.” Schnuck Markets Inc. in August reached a tentative settlement of a lawsuit resulting from a security breach at nearly 80 supermarkets in Missouri, Illinois, Iowa and Indiana, including two stores in Springfield. Approximately 2.2 million cards were affected. The company declined further comment other than to point out consumers received regular updates, including through the website, a toll-free hotline and the news media. Jerry Bryan of Bryan Consulting Inc. in St. Louis said clients of the communications and technology firm are advised to get information out as quickly as possible, including through social media, when there are problems with company products or services. “It runs counter to what most corporate managers believe: ‘I can’t say anything because I don’t have all the facts,’” Bryan said. “By the time you know all the facts, the public is blaming you.” He said companies must help consumers understand that the companies also have been victimized, in this case by cybercriminals. “Jimmy John’s had a security breach, and my first inclination is to think Jimmy John’s did this,” Bryan said. “Something has to make me slow down just enough to realize somebody attacked Jimmy John’s.” The Illinois attorney general’s office received more than 3,000 identity theft complaints in 2013, second only to 4,300 consumer debt complaints. Identity theft has been the fastest-growing category in recent years. Madigan said the question of consumer notification regularly comes up following a security breach but that consumers themselves remain the best defense against identity theft. “They should be watching their debit and credit card information,” Madigan said. “We’re encouraging them to have transaction alerts on credit and debit cards. There are some very basic things that should just be part of their routine.”
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Jimmy John’s security breach latest test of consumer notice Audrey McNeil (Oct 08)