Two food industry giants hit in the same week: Jason’s Deli disclosed a credential stuffing attack that compromised 344,000 loyalty accounts using stolen credentials harvested from unrelated data breaches, while LockBit 3.0 claimed it exfiltrated hundreds of gigabytes from Subway’s internal SBS franchise network — a notable target shift for a ransomware group that typically preys on mid-size companies.
Stories Covered
Jason’s Deli Credential Stuffing: 344,000 Loyalty Accounts Compromised
Jason’s Deli, the Texas-based soup and sandwich chain, notified customers in early 2024 that its Deli Dollars loyalty program had been hit with a credential stuffing attack exposing the personal data of more than 344,000 members. Credential stuffing is the automated reuse of username and password combinations leaked from previous, unrelated breaches: attackers collect credential dumps from past incidents, then run automated tools against other websites in bulk, betting that users reuse the same login across multiple services. Jason’s Deli confirmed to the Maine Attorney General’s office that the credentials used in the attack were “most likely from other data breaches or sources not involving Jason’s Deli.” The compromised accounts exposed names, addresses, phone numbers, birth dates, preferred store location, order history, group order contacts, house account numbers, loyalty point balances, available rewards, and partial credit and payment card numbers — the full contents of a logged-in customer account.
The breach requires no sophistication in Jason’s Deli’s own infrastructure to execute — it is entirely a consequence of users reusing passwords across accounts without multi-factor authentication. The attacker does not need to break into Jason’s Deli. They need only obtain credential dumps from any previous breach anywhere, run them through a script, and collect the hits. The fix at the individual level is straightforward: a unique password per site (a password manager removes all friction from this) and app-based two-factor authentication wherever it is available. App-based MFA is meaningfully stronger than SMS-based MFA because SMS is vulnerable to SIM swapping attacks, where an attacker socially engineers a mobile carrier into reassigning the victim’s number to an attacker-controlled SIM. At the organizational level, the standard mitigations are rate limiting login attempts, detecting anomalous login volume, checking submitted credentials against known breach databases (services like HaveIBeenPwned offer APIs for exactly this), and prompting password resets for accounts whose credentials appear in public breach dumps.
LockBit 3.0 Claims Subway Breach: Ransomware Group Moves Up-Market
LockBit 3.0 posted a claim on its Tor leak site asserting it had exfiltrated hundreds of gigabytes of data from Subway’s internal SBS (Subway Franchisee Ordering System) network, including financial data across the entire franchise operation. Subway confirmed it was investigating the claims. The ransom deadline posted by LockBit was February 2nd, 2024. What made the claim notable beyond the brand recognition was the target profile: LockBit’s typical victim is a company in the $100 million revenue range, and Subway is a multi-billion dollar operation. Security researchers at Black Kite noted that Subway represents a meaningful expansion of LockBit’s target ceiling, consistent with a pattern seen in other recent incidents — including the Boeing breach via the Citrix Bleed vulnerability — where ransomware operators are increasingly targeting enterprise-scale organizations rather than staying in the mid-market.
The reason large enterprises are attractive despite their resources is the same reason they are difficult to defend: attack surface scales faster than security capacity. A billion-dollar franchise operation has thousands of franchisees, dozens of enterprise applications, a large corporate network, point-of-sale infrastructure in thousands of locations, and years of accumulated technical debt — all connected to the internet, all potentially patchable, and rarely all patched at once. An attacker has to find one gap. Black Kite’s analysis of Subway’s exposure flagged the same issues common to other large enterprises: large attack surfaces with slow patching cycles that create windows for vulnerability exploitation. LockBit held over 21% of global ransomware market share at the time of the Subway claim, had claimed more than 1,000 victims in the prior year, and had accounted for over 35% of total ransomware extortion attacks in early 2023. The playbook for organizations in this threat environment includes network segmentation (so a compromised POS system cannot reach financial databases), offline backups (so encryption does not mean permanent data loss), monitored credential exposure (so compromised employee accounts are detected before attackers pivot deeper), and current patching — not because any of these guarantees safety, but because each one raises the cost of successful attack above what opportunistic actors are willing to pay.
Leave a Reply