Jason’s Deli has recently discovered a data breach that has affected its online platform. In notifications sent to customers, the company has informed them that their personal data was exposed during credential stuffing attacks.
According to the Jason’s Deli breach notification, hackers managed to obtain credentials of member accounts at Jason’s Deli from external sources. These credentials were then used in a credential stuffing attack on the restaurant’s website, which occurred on December 21, 2023.
“On December 21, 2023, we learned that an unauthorized party had obtained an unknown number of Deli Dollar and online account login credentials (usernames and passwords) most likely from other data breaches or other sources not involving Jason’s Deli”
“These unauthorized parties apparently used these login credentials to determine if they matched those of our reward and online accounts.”
Reads the notice.
The impact of this attack is contingent upon whether the affected users have reused the same credentials across various online services and platforms, commonly known as “password recycling.” This practice makes their accounts vulnerable to being hijacked. Implementing IP address rate-limiting can help mitigate such attacks.
As a reputable American restaurant chain, Jason’s Deli operates 246 branches across 29 states. With a workforce of over 6,000 employees and an annual revenue exceeding $400 million, the company takes data security seriously.
The Scale of Jason’s Deli Breach
The extent of data exposed in Jason’s Deli data breach varies depending on the information that Jason’s Deli members have included in their online profiles. It may include the following details:
- Truncated credit card numbers (only the last four digits are visible)
- Birthday
- Preferred Jason’s Deli location
- Phone number
- Deli Dollar points
- House account number
- Full name
- Address (including all saved delivery addresses)
- Redeemable amounts and rewards
- Truncated gift card numbers
Jason’s Deli has identified unauthorized access attempts; however, the exact number of impacted accounts remains unknown at this time.
More Than 340,000 Jason’s Deli Customers Data is Said to Have Been Exposed
Based on the information provided by the Office of the Maine Attorney General, it has been determined that a total of 344,034 individuals may have been affected by the data breach.
“We do not know the number of accounts that the unauthorized party was able to access, but out of an abundance of caution, we are sending this notice to all potentially affected account holders,”
Reads the data breach notification.
For those who have been confirmed as impacted, Jason’s Deli will prompt them to reset their passwords. It is important for affected customers to choose a new, strong password. Additionally, it is highly recommended to change passwords on all other online platforms where the same credentials have been used. Activating two-factor authentication (2FA) is also advised wherever it is available.
To address any unauthorized use of Deli Dollars reward points from breached accounts, Jason’s Deli has assured customers that the points will be restored as applicable. This measure is in place to prevent any financial losses for affected customers.