Point of Sale (POS) system provider Signature Systems has admitted that hundreds of restaurants across the US have been affected after a hacker managed to remotely install card-stealing malware at various sites.
The note on Friday claimed 216 Jimmy John’s stores and 108 other restaurants may have been hit from mid-June onwards.
The hacker in question was able to install the malware after somehow gaining a username and password used by Signature Systems to remotely access the POS systems.
The firm explained:
"We were alerted to a potential issue at one restaurant on July 30, 2014. We immediately began an investigation and found malware on a POS device at that restaurant that had not been detected by the restaurant’s anti-virus program. We removed the malware and engaged a leading computer security firm to investigate every POS system and help us implement enhanced security measures."
Said malware was apparently designed to steal the cardholder name, card number, expiration date and verification code so Signature is urging customers who visited any of the affected locations to check their bills for any fraudulent charges.
It added:
We have also been working with the credit card networks and law enforcement. By identifying which cards may be at risk and notifying the credit card networks, they can work with the banks that issued those cards to prevent fraudulent transactions or to issue new cards. We are confident that the additional security measures blocked the attack and you can feel confident in continuing to use your card at the affected restaurants.
There could be more bad news for Signature and its clients, however. Online records from the Payment Card Industry Security Standards Council spotted by Brian Krebs seem to indicate that the firm’s PDQ POS product wasn’t validated for installations after 28 October 2013.
If this is the case, Jimmy John’s and other restaurants that used the device after this date could be in line for fines from the PCI SSC.