Restaurant chain customers' credit card data stolen

Not Your Average Joe's, a Massachusetts restaurant chain, said yesterday that thieves have stolen credit card data belonging to its customers.

The Dartmouth-based chain estimated less than 3,500 of the 350,000 customers it served in August and September had their credit card information stolen. The 14-restaurant chain said it is working with the US Secret Service and major credit card companies to determine how the data theft occurred and precisely how many customers were affected.

Today, the chain plans to post on its website a notice to customers about the security breach.

Diana Pisciotta, a spokeswoman for Not Your Average Joe's, said the chain decided to alert customers so they could check their credit card statements and notify their credit card companies about any suspicious charges. Consumers are generally not responsible for fraudulent activity on their credit cards.

"We're doing this out of an abundance of caution and to be respectful and forthright with our customers," she said.

Security breaches at retailers have made headlines this year. TJX Cos., the Framingham-based parent of such chains as TJ Maxx and Marshalls, disclosed this year that hackers had stolen at least 45.7 million credit and debit card numbers from its computer system, including records dating as far back as 2003. TJX said two-thirds of the cards were expired or had data on their magnetic strips masked.

The breach at Not Your Average Joe's first surfaced on Cape Cod. Officials at Cape Cod Five Cents Savings Bank reported to local police that a handful of customers were seeing unauthorized charges showing up on their credit card statements.

Detective Ed Scipione of the Barnstable Police Department said an investigation revealed that the common denominator for all of the consumers was a lunch or dinner at Not Your Average Joe's. Most had eaten at the chain's Hyannis restaurant.

Scipione said the Cape Cod Five customers reported nearly $20,000 in unauthorized charges, nearly all of them rung up abroad. He said it appeared the thieves were using the stolen credit card information in conjunction with counterfeit credit cards.

Scipione said other banks soon reported similar problems and the Secret Service began investigating. Steven Ricciardi, special agent in charge for the Secret Service in Boston, confirmed an investigation is ongoing.

"This wasn't an isolated incident," Scipione said. "This appeared to be a breach of their internal security system."

Not Your Average Joe's operates 13 restaurants in Massachusetts and one in Virginia. The restaurants sell what the chain's website calls "creative casual cuisine."

Pisciotta said the chain has beefed up its security measures and hired a forensic analyst to find out what happened. She said the thieves apparently obtained customer names, credit card numbers, and card expiration dates.

She said the analyst's investigation is ongoing and the chain does not believe the security breach involved any of its employees.

Pisciotta said no unauthorized credit card charges have been reported since Sept. 29 and the chain assumes its existing security system is secure. "We're fairly confident that a customer walking into one of our places today could use their credit card safely," she said.

Bruce Mohl can be reached at mohl@globe.com.