Grocery stores in multiple states hit by data breach

Affected retailers include Albertson's Cub Foods, Jewel-Osco, Shop n Save, Star Market and Shaw's

A data breach at Supervalu Inc., one of the largest grocery wholesalers and retailers in the U.S., could affect thousands of people who shopped at the company's stores between June 22 and July 17.

The breach may also affect customers from several other major grocery store chains for which Supervalu provides IT services as a third-party provider.

The stores affected by the breach include 180 Supervalu stores operated under the Hornbacher's Shop 'n Save, Shoppers Food & Pharmacy, Farm Fresh and Cub Foods banners. Customers of all Jewel-Osco stores operating in Illinois, Indiana and Iowa were also affected. Supervalu offered up a list of the stores it believes were affected ( download PDF) and has posted a FAQ about the breach..

Credit and debit card data may also have been obtained from customers of Albertsons stores in nine states, including California, Idaho, Montana, Washington and Oregon. In addition, ACME market stores in Pennsylvania, Maryland, Delaware and New Jersey and Shaw's and Star Market stores in Maine, Massachusetts, Vermont, New Hampshire were affected.

In a statement Thursday, the Eden Prairie, Minn.-based Supervalu said it had suffered a criminal intrusion into its payment processing network between June and July. That intrusion may have resulted in the theft of account numbers, cardholder names, expiration dates and other data from payment cards used at some of the company's stores during that time.

So far, there is no indication that the data has been misused, the company said. Supervalu operates more than 3,320 stores in the U.S.

According to Supervalu, its internal IT team detected the intrusion and quickly moved to remediate it. "An investigation supported by third-party data forensics experts is on-going to understand the nature and scope of the incident," the company said. "Supervalu believes the intrusion has been contained and is confident that its customers can safely use their credit and debit cards in its stores. "

The company is offering consumers affected by the breach a year's worth of free identity protection services.

In a separate statement, AB Acquisition, which owns and operates Albertson's, ACME, Jewel-Osco, Shaw's and Star Markets said it is working closely with Supervalu to find out what exactly happened and what data might have been stolen.

Mark Bates, senior vice president and CIO at AB Acquisition, reiterated that there is no evidence yet that the breached data has been misused. Like Supervalu, AB Acquisition will offer one year of free identity protection services for customers whose payment cards may have been affected.

The breach is another reminder of how vulnerable U.S merchants and the payment system in general remains to massive data compromises.

The disclosure comes just weeks after the U.S. Department of Homeland Security warned about malicious hackers taking advantage of commonly used enterprise remote access tools to break into retail point-of-sale (POS) systems and plant malware on them.

According to the DHS, hackers are using publicly available scanning tools to locate businesses that use remote desktop applications such as those from Microsoft, Apple and LogMeIn. Once the hackers locate a remote desktop app, they try and guess the user's login credentials using brute-force methods. They then are able to infiltrate the enterprise network as an insider and gain access to POS systems.

DHS investigations show that hackers have used the method successfully to infect POS systems at three retailers with a malware program dubbed "Backoff."

The Supervalu breach is also sure to focus attention on third-party security issues in the retail space. In this case, many of the stores that were affected by the breach had outsourced their IT services to Supervalu.

Under the Payment Card Industry Data Security Standard (PCI DSS), companies that outsource payment card services to third parties are still primarily responsible for ensuring the security of that data.

The PCI DSS only last week updated its guidance to help merchants better determine whether third-party service providers have implemented security measures to protect credit and debit cardholder data.

Starting next July, merchants that want to remain compliant with PCI requirements will be required to obtain a written assurance from each of their service providers attesting to the provider's readiness to handle credit and debit card data securely.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and Hackingsecuritydata breachMalware and VulnerabilitiesSupervalu

More about ABAlbertson'sInc.LogMeInSupervaluTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place