Austin-based eatery Jason’s Deli has issued a warning to members of its Deli Dollars rewards program that their personal information may have been exposed in a credential-stuffing attack.
According to Jason’s Deli’s filing with the Maine Attorney General’s office, the breach impacted more than 344,000 customers. The accounts were compromised using legitimate logins obtained from the Dark Web, sourced from previous breaches of other systems.
The company notified affected customers, stating that an unauthorized party had obtained Deli Dollar and online account login credentials from breaches unrelated to Jason’s Deli. These illicit attackers appear to have leveraged these login credentials to access account details, such as names, addresses, phone numbers, birth dates, preferred store locations, order history, contacts for group orders, house account numbers, Deli Dollars points, available rewards, as well as partial credit and payment card numbers.
After learning of the breach, Jason’s Deli encouraged Deli Dollars members to update their login credentials, especially if they are using the same username and password for other accounts. The incident underscores the risks of password reuse across multiple accounts. Experts are calling for the implementation of multifactor authentication (MFA) and secure access management systems to protect against these types of attacks.
Joseph Carson, chief security scientist and advisory CISO with Delinea, emphasized that the breach is a stark reminder of the vulnerabilities created by allowing users to select their passwords and store sensitive data without enforcement of strong password best practices. Carson also pointed out the rise in successful credential-stuffing attacks, highlighting the urgency for improved security measures.
Lionel Litty, chief security architect at Menlo Security, echoed the importance of multifactor authentication in safeguarding against password reuse and credential stuffing. Litty recommended investing in phishing-resistant MFA to enhance overall cybersecurity defenses.
Interestingly enough, a separate fast-casual sandwich chain, Subway, was recently targeted in a cyberattack. The infamous ransomware group LockBit 3.0 claimed responsibility for a ransomware attack on Subway, wherein they reportedly stole significant financial data, including employee salaries, royalty payments, and commissions.
The mounting instances of successful attacks on fast-food and sandwich chains underscore the critical need for multifactor authentication, secure access management, and heightened cybersecurity measures to protect against evolving cyber threats and safeguard sensitive customer information. As such, businesses must remain vigilant and proactive in their efforts to bolster their cybersecurity posture to mitigate the risk of potential breaches and data exposure.