Jimmy Johns Breach Affects Others

As Brian Krebs reported late last week, the Jimmy Johns breach has a larger impact than previously reported.  In a nutshell, here are the details:

  • The attack affected 216 Jimmy Johns stores nationwide
  • The hackers compromised the username and password used for remote administration
  • The POS or cash register software was created by Newtown, PA based Signature Systems, whom, it appears, also manages those systems, remotely.
  • According to the PCI Security Standards Council, Signature’s core product PDQ POS was not approved for installations after October 28, 2013, meaning that restaurants who installed it after that date could face fines.
  • According to the notice on Signature’s web site, there are many, many other companies affected besides Jimmy Johns.

So what does this mean for retailers.

The first answer is obvious.  As a business, you are going to take the heat if a vendor fails you.  The business MUST validate that a vendor’s security procedures are adequate before signing a contract and periodically (at least annually) after signing a contract.  The agreement should detail who is financially responsible for breaches.   It would be interesting to see whether Jimmy Johns or Signature will bear the financial cost – including lost business and reputation – of this breach.

Next, businesses need to be more proactive in managing vendors.  Does the vendor need to have 24×7 access?  How is that restricted?  Where does the vendor need access from (can you restrict access to a particular subnet?).  This requires more work on the part of the business, but the business has the most to lose.

Finally, businesses need to perform a periodic security risk assessment as part of their normal business practices.  I assume that most of the Jimmy Johns locations were franchisees.  That means that they and not Jimmy Johns are responsible for any risk assessment.  Healthcare businesses are now required by law to conduct this kind of risk assessment periodically.  All businesses should be doing this purely to protect their rear ends.

Remember, no matter who’s fault a breach is, the name that will show up in the news (Target, Home Depot, Jimmy Johns) is yours.

How many vendors do you have with access of some sort to your systems?  When was the last time you audited their security procedures?  Who is financially responsible for a breach?  Good questions to ponder.  And act on.

Mitch Tanenbaum