Schnucks supermarket chain struggled to find breach that exposed 2.4M cards

Companys experience highlights growing sophistication of attacks, analysts say

The Schnucks supermarket chain struggled for two weeks to find the source of a breach after being alerted to a possible leak of credit card info by its card processing company. During that time, Schnucks apparently continued exposing the debit and credit card data of people who shopped at its stores.

Details about the breach were released Monday after an investigation into what happened.

Schnucks is a St. Louis-based supermarket chain that owns 100 stores and 96 in-store pharmacies in a five-stage region in the Midwest. On March 30, the company announced that it had found and contained a data breach that had potentially exposed credit and debit card data on an unknown number of its customers.

In an update released today, Schnucks said its investigation show that data on about 2.4 million credit and debit cards used by customers at 79 stores may have been exposed. According to the company, only card numbers and expiration dates appear to have been exposed, not the cardholder's name, address or identifying information.

A detailed timeline of events posted on its site shows that Schnucks first learned of a possible intrusion on March 14. That's when the chain's card processor alerted officials about fraud on a handful of cards that had been used recently. It launched an internal investigation and quickly ruled out insider theft and point-of-sale devices as potential causes.

On March 19, the company hired security firm Mandiant to investigate further amid reports of more fraud. But even with the help of a professional security services firm, Schnucks was not able to isolate and shut down the breach until March 28. It took another 36 hours to contain the breach and bolster security to prevent a reoccurrence.

In its update today, Schnucks warned that the breach affected cards used by customers between December 2012 and March 29, 2013. That time frame suggests that the company was continuing to leak credit and debit card information between the time it was first alerted of a problem and the time it actually fixed it.

Schnucks' experience highlights the growing sophistication of such attacks and the challenges companies face in dealing with them, said Avivah Litan, an analyst with Gartner in Stamford.

"You'd think they would have figured out what to shut off or at least how to control their traffic" to prevent further data leaks, Litan said. The fact that the company was unable to locate the source of the breach for so long shows how good attackers are getting at concealing their tracks, she said.

Increasingly, attackers have been resorting to techniques like hiding stolen data inside legitimate files and encrypting data to evade detection. "They cloak their malware or hide it within seemingly innocuous files so that it's very difficult to detect," she said.

Existing forensics tools are not good enough at finding these attacks within hours, or even days, she said. "And the network and enterprise security tools are not smart enough to detect the hacking ... when it occurs.

"What's needed, and what some tech startups are working on, is behavioral modeling, base-lining and profiling of all nodes and communication ports in an internal network so that abnormal activity and communications can be detected -- even if the activity is only active a few seconds a week," Litan said.

"Of course this is very difficult to pull off without a lot of false positives and noise in the system, but this is what's needed," she added.

Jim Huguelet, principal of the Huguelet Group LLC, a firm that advises companies on compliance with credit card security standards, said the amount of time it took Schnucks to isolate the cause of the breach is longer than is typical.

"This could indicate that the malware was custom-written for Schnucks' environment or utilized unique techniques to hide its existence," he said.

"The number of cards compromised is significant given the relatively small size of the Schnucks chain and just proves that retailers of all sizes must be diligent in their protection of their payment processing systems," Huguelet said.

Schnucks did not respond to a request for comment.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingSchnuckssecuritydata breachMalware and Vulnerabilities

More about GartnerTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place