Penn Station East Coast Subs, a popular food chain in the Midwest, issued a warning to customers via its website on Friday, after some 20% of their franchisee-owned restaurants suffered a data breach. The breach resulted in unauthorized access to an untold number of debit and credit cards.
Penn Station East Coast subs is a popular place to eat here in the Midwest. Personally, your faithful Tech Herald correspondent can’t get enough of the place, but that may change. I learned of the breach on Friday, when Chase Bank called to inform me that my debit card was canceled.
When I pressed for details, a supervisor within the fraud department explained that the cancelation was because a restaurant that I visited in the past had reported a security incident. Given my purchasing habits with this card (it is used as a secondary source of funds) the only place it sees action at on a regular basis is the sub shop – Penn Station.
I went to their website and learned that my card was likely compromised along with others when Penn Station #9 in Indianapolis was breached. Along with Indiana, stores in Illinois, Kentucky, Michigan, Missouri, Ohio (where the company was founded – also the source of the most victims), Pennsylvania, Tennessee, and West Virginia were also hit by the same breach.
According to Penn Station, the breach impacted less than 20% of their chain, exposing names and credit/debit card numbers, but it’s the missing information that makes this breach notification seem strange.
For example, the company says that the breach likely started at the beginning of March, and warns that customers who ate at the chain between then and April be on alert. How many customers are we talking about, hundreds? Is it thousands, or tens of thousands? Penn Station didn’t say.
Also missing from the basic notification letter on the website is Penn Station’s reason for waiting a month to tell anyone, and exactly how the breach was detected – which is odd given that it’s mentioned the franchisees switched card processing methods due to the breach itself.
The Tech Herald has reached out to Penn Station’s PR firm and asked about the number of customers impacted, as well as the timeline of events – including when the breach was discovered, how it was discovered, and why there was a delay with notification. If they respond, we’ll update this story.
In the meantime, anyone who ordered Penn Station between March and April, and did so in the nine states mentioned, should check the list of locations that are confirmed to be breached. That list is here, and it will be updated as needed, the company said.
Questions can be directed to Penn Station, Inc. at 513-474-5957 from 9 a.m. to 4 p.m. EDT Monday through Friday.