The nationwide supermarket chain Supervalu confirmed on Thursday it had learned of an intrusion of its payment processing system, compromising numerous retail food stores, as well as some stand-alone liquor stores.
Supervalu representative Eden Prairie stated in a press release, “This criminal intrusion may have resulted in the theft of account numbers, and in some cases also the expiration data, other numerical information and/or the cardholder’s name.”
Supervalu reported the breach gave hackers unauthorized access to payment information starting on June 22, 2014, and ending on July 17, 2014, from 180 Supervalu stores and stand-alone liquor stores operating under the Cub Foods, Farm Fresh, Hornbacher’s, Shop ‘n Save and Shoppers Food & Pharmacy brands. In addition, Supervalu believes the intrusion may have also affected 29 franchised Cub Food stores and stand-alone liquor stores.
A list of the stores impacted was disclosed by the company, including stores in Minnesota, North Dakota, Illinois, North Carolina, Virginia, Montana, Maryland and Virginia.
Additionally, Supervalu stated some stores owned and operated by AB Acquisition were affected by a related breach, including Albertson’s, ACME, Jewel-Osco and Shaw’s franchises. Supervalu provides IT services to AB Acquisition after a transition service agreement, but claims it will not be held responsible for losses incurred by the separate chains.
Albertson’s reported stores in the following states were impacted by the breach:
- Albertson’s stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah.
- ACME stores in Pennsylvania, Maryland, Delaware and New Jersey.
- Jewel-Osco stores in Iowa, Illinois and Indiana.
- Shaw’s and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island.
Supervalu assured the intrusion has been contained at this point, and it has not found any evidence yet pointing to customer data misuse. The company said it is currently working with federal law enforcement authorities to investigate and identify those responsible for the breach.
“Upon recognition of the intrusion, the company took immediate steps to secure the affected part of its network,” said Prairie. “An investigation supported by third-party data forensics experts is on-going to understand the nature and scope of the incident.”
Tripwire Security Researcher Ken Westin commented, “This breach appears to be different from other retail breaches we have seen in that they were able to detect it themselves, versus being notified by card issuers or banks when their analysts trace fraudulent cards back to the stores.”
“In this case, it looks like if the companies were able to detect the breach to some degree and contain it, they may have been able to stop the intrusion before credit card data was actually exfiltrated from the network.”
Categories: Top Security Stories