The Supervalu supermarket chain recently acknowledged that “a criminal intrusion into the portion of its computer network that processes payment card transactions for some of its retail food stores” may have exposed an undisclosed number of customers’ payment card data.
Specifically, the company says payment card account numbers may have been stolen, along with some expiration dates and/or cardholder names.
Affected cards were used between June 22, 2014 and July 17, 2014 at the 180 Supervalu stores and standalone liquor stores listed here [PDF]. Store brands include Cub Foods, Farm Fresh, Hornbacher’s, Shop ‘n Save, and Shoppers.
In addition, Supervalu provides IT services to some Albertsons stores, which may also be affected. “Supervalu believes that any losses incurred by Albertson’s LLC or New Albertson’s, Inc., as a result of the intrusion affecting their stores would not be Supervalu’s responsibility,” the company said in a statement.
Albertsons supermarkets in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah were apparently impacted, along with Acme Markets in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois and Indiana; and Shaw’s and Star Market stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island.
Because the investigation is ongoing, however, Supervalu says the time frames, store locations and specific data stolen may be corrected in the future.
“The safety of our customers’ personal information is a top priority for us,” Supervalu president and CEO Sam Duncan said in a statement. “The intrusion was identified by our internal team, it was quickly contained, and we have had no evidence of any misuse of any customer data. I regret any inconvenience that this may cause our customers but want to assure them that it is safe to shop in our stores.”
All affected customers are being offered one free year of identity protection services from AllClear ID.
(ISC)2 executive director W. Hord Tipton said by email that this breach is yet another consequence of retailers failing to implement serious security controls into their point of sale systems. “Incorporating chip and pin technology into POS systems is one of the strongest measures that retailers can take to protect their customers,” Tipton said. “Unfortunately, without mass adoption, retailers will continue to deal with the fallout associated with losing valuable customer information; further weakening public trust in performing credit and debit card transactions with confidence.”
And HyTrust executive director Eric Chiu said by email that breaches like this demonstrate why security should be top of mind for every organization today. “Companies must assume they have already been breached, and begin looking at policies and technology that can prevent attackers from getting access to sensitive or regulated data, even if the attackers are inside the network,” he said.
A recent eSecurity Planet article examined the best practices for companies to follow after a data breach, from working with an independent security firm to communicating clearly with the public regarding the details of the breach.