The Investigators: Swiped -- Jason's Deli - Action News 5 - Memphis, Tennessee

Swiped! Jason's Deli was HACKED

Posted: Updated:

By Andy Wise - bio | email

MEMPHIS (WMC-TV) - Law enforcement and card payment sources have confirmed an outside source hacked into an East Memphis restaurant's customer database to steal an untold number of debit and credit card numbers.

Special Agent-In-Charge Rick Harlow of the U.S. Secret Service's Memphis office said agents have ruled out the possibility that employees of Jason's Deli, 1199 Ridgeway Rd, used "skimmers" to glean customer's card data. Sources confirmed Monday the restaurant is PCI-compliant, meaning it meets professional standards for data security.

Harlow said instead, the prime suspect is an international, online theft ring.

"(Customers' card numbers) are being sold on an underground, Internet chat room," said Harlow as he let the Action News 5 Investigators inside the service's multi-agency Electronic Crimes Task Force. "Once they're sold, the buyer will counterfeit a card and use it to steal money."

Dee Karawadra, owner of the national credit card processing company Impact Pay System in Cordova, TN (www.myimpactmd.com), said if the thieves are counterfeiting cards, then they've captured all the data stored on the cards' "mag-stripes" -- the magnetic strips on the back of the cards. He said the data includes customers' names, credit card information and their 3-digit security codes.

Karawadra said that means someone had to have compromised the Jason's Deli system from the outside.

"Either their server or Wi-Fi," he said. "Maybe somebody sat outside and logged into their Wi-Fi."

Harlow won't say exactly how many of the restaurants' customers are victims. The Action News 5 Investigators have heard from more than two-dozen viewers who claim their card data was stolen.

The charges, well into the thousands of dollars, span two hemispheres.

One Mid-South victim who asked to be called "Tonya" discovered someone swiped $900 in charges on her debit card number days after she used it to buy lunch at the East Memphis deli.

The charges took place at a Gucci store in Greece.

"Somebody got a Gucci bag on me," she said.

Jason's Deli's management has been in triage mode, trying to stop the bleeding. Authorities say restaurant officials are fully cooperating with the investigation.

Managing partner Kent Holt said the crime has bitten a huge chunk out of his business, even as he's shut down the store's central credit card computer system.

"We went offline with our system and went to an analog, dedicated phone line -- a direct dial-up for our customers who still want to use their cards," said Hold. "Our customers are our utmost concern."

Harlow said if your credit or debit card number is compromised:

* CALL YOUR BANK. This should be your first call.  Your bank should have processes in place to prevent future charges on your debit card. 

You must report the theft to your bank within 60 days. Your bank may require you to fill out a theft affidavit. You should complete the affidavit and return it to the bank within 15 days, or the bank may hold you responsible for the loss.

* CALL YOUR CREDIT CARD COMPANY. Make this call only if your credit card was compromised. By law, you're never liable for more than $50 of a disputed credit card charge.  Most credit card companies offer zero liability as a feature to attract customers, so you will likely not be liable for anything.

* CALL THE LOCAL POLICE AGENCY OF THE AREA WHERE THE THEFT TOOK PLACE. Even though the Secret Service will ultimately have jurisdiction in a card theft case that spans states and countries, Harlow said you should file a police report with the law enforcement agency that has local jurisdiction. That will help the authorities build a reliable paper trail.

* FILE A FRAUD AFFIDAVIT WITH THE FEDERAL TRADE COMMISSIONwww.ftc.gov/idtheft

The conventional wisdom used to be you should alert the three major credit bureaus (Experian, Equifax, TransUnion), but Harlow said hold off unless the thief opens a NEW account IN YOUR NAME.

Otherwise, putting a fraud alert on your credit reports may make it difficult for you to open new accounts down the road.

"So you need to decide how much risk am I willing to take or how much inconvenience am I willing to take," Harlow said.

In her situation, "Tonya's" bank took care of everything. It sealed her account, issued a new number and reimbursed the $900.

"I feel safe that my bank was on top of it," she said. 

Consumer Reports has recommended never using your debit card at a full-service restaurant where you cannot witness the swipe transaction. Use cash or credit instead.

You should also avoid using debit cards at gas pumps, hotels and car rental companies. Each commonly place what's called a "pre-authorization hold" on a card transaction to make sure there is enough funds in the account to cover the purchase. Card payment sources say that "freeze" can be as much as $100, and it can last up to three days.

Copyright 2010 WMC-TV. All rights reserved.

Powered by WorldNow