A data breach at Supervalu Inc., one of the largest grocery wholesalers and retailers in the U.S., could affect thousands of people who shopped at the company's stores between June 22 and July 17.
The breach may also affect customers from several other major grocery store chains for which Supervalu provides IT services as a third-party provider.
The stores affected by the breach include 180 Supervalu stores operated under the Hornbacher's Shop 'n Save, Shoppers Food & Pharmacy, Farm Fresh and Cub Foods banners. Customers of all Jewel-Osco stores operating in Illinois, Indiana and Iowa were also affected. Supervalu offered up a list of the stores it believes were affected (download PDF) and has posted a FAQ about the breach..
Credit and debit card data may also have been obtained from customers of Albertsons stores in nine states, including California, Idaho, Montana, Washington and Oregon. In addition, ACME market stores in Pennsylvania, Maryland, Delaware and New Jersey and Shaw's and Star Market stores in Maine, Massachusetts, Vermont, New Hampshire were affected.
In a statement Thursday, the Eden Prairie, Minn.-based Supervalu said it had suffered a criminal intrusion into its payment processing network between June and July. That intrusion may have resulted in the theft of account numbers, cardholder names, expiration dates and other data from payment cards used at some of the company's stores during that time.
So far, there is no indication that the data has been misused, the company said. Supervalu operates more than 3,320 stores in the U.S.
According to Supervalu, its internal IT team detected the intrusion and quickly moved to remediate it. "An investigation supported by third-party data forensics experts is on-going to understand the nature and scope of the incident," the company said. "Supervalu believes the intrusion has been contained and is confident that its customers can safely use their credit and debit cards in its stores. "
The company is offering consumers affected by the breach a year's worth of free identity protection services.
In a separate statement, AB Acquisition, which owns and operates Albertson's, ACME, Jewel-Osco, Shaw's and Star Markets said it is working closely with Supervalu to find out what exactly happened and what data might have been stolen.
Mark Bates, senior vice president and CIO at AB Acquisition, reiterated that there is no evidence yet that the breached data has been misused. Like Supervalu, AB Acquisition will offer one year of free identity protection services for customers whose payment cards may have been affected.
The breach is another reminder of how vulnerable U.S merchants and the payment system in general remains to massive data compromises.
The disclosure comes just weeks after the U.S. Department of Homeland Security warned about malicious hackers taking advantage of commonly used enterprise remote access tools to break into retail point-of-sale (POS) systems and plant malware on them.
According to the DHS, hackers are using publicly available scanning tools to locate businesses that use remote desktop applications such as those from Microsoft, Apple and LogMeIn. Once the hackers locate a remote desktop app, they try and guess the user's login credentials using brute-force methods. They then are able to infiltrate the enterprise network as an insider and gain access to POS systems.
DHS investigations show that hackers have used the method successfully to infect POS systems at three retailers with a malware program dubbed "Backoff."
The Supervalu breach is also sure to focus attention on third-party security issues in the retail space. In this case, many of the stores that were affected by the breach had outsourced their IT services to Supervalu.
Under the Payment Card Industry Data Security Standard (PCI DSS), companies that outsource payment card services to third parties are still primarily responsible for ensuring the security of that data.
The PCI DSS only last week updated its guidance to help merchants better determine whether third-party service providers have implemented security measures to protect credit and debit cardholder data.
Starting next July, merchants that want to remain compliant with PCI requirements will be required to obtain a written assurance from each of their service providers attesting to the provider's readiness to handle credit and debit card data securely.