Signature Systems says the breach of its point-of-sales system that hit 216 Jimmy John's sandwich shops is actually 50 percent larger than originally thought.
The company said Friday that an additional 108 restaurants that use its payment terminals were also hit. The additional locations are independent restaurants not part of the Jimmy John's chain.
The breach is thought to have begun on June 16 when someone began gaining access to the terminals through a user name and password that are normally used to remotely manage the devices. Companies like Signature Systems use remote management so they don't have to send a technician to each store, saving time and money but also opening the devices up to just the sort of attack that happened.
It wasn't until July 30 that the company first learned there could be a problem. It took a week for the malware to be removed from most terminals, although it wasn't completely gone from just about all until mid-September. At some restaurants, the company still hasn't verified that the malware has been removed, but says the attack has been blocked.
The malware installed was capable of stealing the cardholder's name, card number, expiration data and verification code from the magnetic stripe on the back of the card.
Cards used at the affected locations in a three-month period from mid-June were potentially at risk of being compromised. The company has posted a list of all independent restaurants and the time frames in question on its website, and there's a similar list on the Jimmy John's website.
It shows, for example, that at the Roman Delight restaurant in Southampton, Pennsylvania, the malware was present for just four days in mid-June, while at Apollo Pizza in Philadelphia, the malware was present for three months.
The bad news for consumers is that Signature Systems says it's unable to identify the specific cards that were stolen, so it doesn't know the names and addresses of potential victims. The company is asking customers who used payment cards at the restaurants to watch for fraudulent charges and notify their bank if they appear.
Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is firstname.lastname@example.org