Jimmy John's says hacker took credit-card data at 216 stores

Jimmy John's, a sandwich-shop chain based in Champaign, Ill., said a hacker infiltrated payment systems at about 216 of its locations and stole credit- and debit-card information.

A list of affected stores on Jimmy John's website included 12 locations in Minnesota, including 10 in the Twin Cities area.

The incident occurred after an intruder took login credentials from Jimmy John's payment-technology vendor and then accessed its point-of-sale systems between June 16 and Sept. 5, the company said Wednesday in a statement. The sandwich chain learned of the breach on July 30 and hired forensic experts to handle the investigation, which is continuing.

"The security compromise has been contained, and customers can use their credit and debit cards securely at Jimmy John's stores," the company said in the statement.

Jimmy John's joins a growing list of retail and restaurant companies struck by hackers in the past year. Home Depot Inc., the largest home improvement chain, said this month that a cyberattack compromised 56 million payment cards. In June, P.F. Chang's China Bistro Inc., an Asian-themed restaurant company, said credit- and debit-card data were stolen from some of its locations.

Jimmy John's statement that it learned of a potential breach at the end of July means the company waited almost two months to alert customers. That differs from the approach of Home Depot, which announced its breach on the day it discovered the incident. The Atlanta-based retailer followed up last week by giving the number of payment cards affected.

Jimmy John's declined to comment on why it took so long to disclose the attack.

Target Corp. also suffered a high-profile breach last year, when hackers snatched 40 million payment-card numbers.

Jimmy John's, a closely held company with more than 2,000 stores, was founded in 1983 by Jimmy John Liautaud. The affected locations included stores in Colorado, Florida, Georgia, Illinois, Michigan and Texas.