Weekly Wrap Up Oct, 3 2014
This week's wrap summarizes the Jimmy John's data breach and the breach on Japan Airlines.
Jimmy John's Data Breach
Officially Acknowledged by Jimmy John's
216 stored affected 108 other independent restaurants were also affected by the same breach Jimmy John's says it "does not have sufficient information to contact potentially affected customers," Potentially exposed information includes credit card numbers, cardholder names, verification codes, and expiration.
Lessons Learned
The biggest potential problem with this breach is that some of the locations may have installed POS systems that were no longer approved by the PCI Security Standards Council. Any installations of Signature's PDQ POS systems done after October 28, 2013 were done against PCI regulations and could result in some hefty fines or other penalties. While specific instances of unapproved installations are not documented, the potential is there, and if the breach originated from one of those installations this is another fine example of what not to do. Even some of the simplest things if overlooked can result in massive headache. There are reasons software and hardware reach end of life and end of support, and when they do they become increasingly vulnerable with every passing day.
News Story
Jimmy John's Breach News Article
Japan Airlines Breach
No credit card numbers or passwords appear to be compromised As many as 750,000 members' data compromised Compromised data potentially includes names, birth dates, genders, home addresses, work addresses, job titles, phone numbers, fax numbers, email addresses, JMB membership numbers, and JMB enrollment dates Breach initiated by a malicious email containing malware Second breach of JAL this year
Lessons Learned
While no credit card data was lost this time, there was still a lot of Personal Identifiable Information (PII) lost. This lost information can easilybe used to launch targeted phishing campaigns, or be used to sign people up for services they don't need/want. This type of breach is still concerning to even small businesses. Even if no credit card information is lost there is still a portion of trust that customers lose in a business when any type of network intrusion happens. Any loss or compromise of information could have been credit card information or lead to identity theft which is far from a fun thing to have happen.