Restaurant chain Jason’s Deli is informing customers that their user accounts and personal information might have been compromised in credential stuffing attacks.
Over the weekend, the company, which owns over 200 fast casual restaurants across the United States, began informing customers that attackers have been observed accessing user accounts using login credentials obtained from other data breaches.
“These unauthorized parties apparently used these login credentials to determine if they matched those of our reward and online accounts,” Jason’s Deli said in a notification letter to customers, a copy of which was submitted to the Maine Attorney General’s Office.
In cases where the login credentials compromised in another data breach were used for the Jason’s Deli online account as well, the attackers likely hacked the account, gaining access to the personal information that the user had shared with the company.
“That information may have included your name, address (including all saved delivery addresses), phone number, birthday, preferred Jason’s Deli location, order history, contact lists (if any – names and email addresses used for sending group orders), house account number (if any), Deli Dollars points, available redeemable amounts and banked rewards, as well as truncated gift card/credit card numbers,” the notification letter reads.
According to Jason’s Deli, the attackers might have also viewed the last four digits of users’ payment and gift card numbers, but not the entire numbers.
The company has been working on identifying the potentially impacted users, but has yet to determine the number of compromised accounts. However, it told the Maine AGO that more than 340,000 individuals might have been affected.
Jason’s Deli also informed its users that it would restore their Deli Dollars account balances, where applicable.
“Please understand that we believe that this incident was not a result of the unauthorized party hacking into Jason’s Deli’s system in order to obtain this information, as we do not store or retain customer login credentials,” the company said in the notification letter.