Jimmy John’s security breach latest test of consumer notice

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.sj-r.com/article/20140928/News/140929507

Companies must provide notification to customers of credit and debit card
security breaches within a reasonable time under Illinois law.

In the case of Jimmy John’s, the sandwich chain learned July 30 of a data
breach at more than 200 stores, but it wasn’t announced until Wednesday.
Restaurants at 3128 S. Sixth St. and 2925 Iles Ave. in Springfield were
among stores hit, according to the company.

“There’s a reason,” Illinois Attorney General Lisa Madigan told The State
Journal-Register. “We don’t want to undermine any type of criminal
investigation. We want to be able to determine the source of the breach.”

Madigan’s office is leading an investigation into the Jimmy John’s security
breach.
The two-month period between discovery and public announcement at Jimmy
John’s is not uncommon, said Madigan, who is seeking re-election in
November.

“Under Illinois law, they are required to provide notice within the most
expedient time possible and without unreasonable delay,” she said.

Madigan said companies could face penalties if unnecessary delays were
found or if insufficient steps were taken to protect consumer data. The
Federal Trade Commission also announced earlier this year it would seek
more authority to enforce security improvements, including
consumer-notification requirements.

Jimmy John’s, based in Champaign, said in an announcement that steps were
taken to protect customers. Debit and credit card purchases made between
June 16 and Sept. 5 were affected.

A message left with Jimmy John’s representatives was not returned Friday,
but the company posted a statement on its website, jimmyjohns.com, that
said the breach was contained and customers could safely use debit and
credit cards for purchases.

The company said login credentials for its point-of-sale system were stolen
from a third-party vendor. Jimmy John’s has hired independent experts to
investigate the break-in, according to the statement.

“Jimmy John’s has taken steps to prevent this type of event from occurring
in the future,” the statement said, “including installing encrypted swipe
machines, implementing system enhancements, and reviewing its policy and
procedures for third-party information.”

Schnuck Markets Inc. in August reached a tentative settlement of a lawsuit
resulting from a security breach at nearly 80 supermarkets in Missouri,
Illinois, Iowa and Indiana, including two stores in Springfield.

Approximately 2.2 million cards were affected.

The company declined further comment other than to point out consumers
received regular updates, including through the website, a toll-free
hotline and the news media.

Jerry Bryan of Bryan Consulting Inc. in St. Louis said clients of the
communications and technology firm are advised to get information out as
quickly as possible, including through social media, when there are
problems with company products or services.

“It runs counter to what most corporate managers believe: ‘I can’t say
anything because I don’t have all the facts,’” Bryan said. “By the time you
know all the facts, the public is blaming you.”

He said companies must help consumers understand that the companies also
have been victimized, in this case by cybercriminals.


“Jimmy John’s had a security breach, and my first inclination is to think
Jimmy John’s did this,” Bryan said. “Something has to make me slow down
just enough to realize somebody attacked Jimmy John’s.”


The Illinois attorney general’s office received more than 3,000 identity
theft complaints in 2013, second only to 4,300 consumer debt complaints.
Identity theft has been the fastest-growing category in recent years.


Madigan said the question of consumer notification regularly comes up
following a security breach but that consumers themselves remain the best
defense against identity theft.

“They should be watching their debit and credit card information,” Madigan
said. “We’re encouraging them to have transaction alerts on credit and
debit cards. There are some very basic things that should just be part of
their routine.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!