Not Your Average Joe's restaurants hit with data breach

October 24, 2007

Boston Business Journal

Massachusetts restaurant chain Not Your Average Joe's issued a statement Tuesday that said its Massachusetts restaurants were targeted by an individual or individuals seeking to illegally obtain credit card data.

"We are shocked that this has happened and are taking the situation very seriously," the statement, which was published on the company's Web site, read. "We sincerely apologize to our customers for any inconvenience that this issue may cause them. We take this issue seriously, and want our customers to understand how they may be impacted."

The Dartmouth, Mass.-based chain said an external investigation into the cause and impact is still on-going.

"The activity occurred largely between early August and late September; there has been no evidence of any fraudulent activity subsequent to September 29," the company said. "Based on preliminary conversations with the credit card companies, it appears that this issue has impacted significantly fewer than one percent of the nearly 350,000 customers we served during that period. Investigations indicate that no member of the Not Your Average Joe's staff was involved."

The company did not offer further details about how the data was accessed.

"There are several layers of security an organization needs to put in place to protect sensitive information and ensure that only the right people have access to it," said Brian Cleary of Aveksa Inc., a Waltham, Mass.-based security software firm. "Someone outside the network obviously found a flaw or an open-door in order to be able to get to that information."

Not Your Average Joe's said the data that was compromised only includes credit card numbers, expiration date and name associated with the card.

"Not Your Average Joe's does not have any other identifying data; therefore, no risk of identity theft associated with this issue exists," the statement said.

Any leak of sensitive information brings with it the potential for identity theft, said Cleary.

"I think of it as a combination lock," said Cleary. "If you need three digits and you already have two, it is very possible to go somewhere else and get the missing piece needed to access someone's personal information."

Not Your Average Joe's has also posted a Q&A section on its Web site for customers who have questions about the data breach.

main page ATTRITION feedback