Minnesota-based SUPERVALU announced on Thursday that anyone who ran their credit and debit cards through point-of-sale (POS) devices in more than 200 of its nationwide shops may have had personal information – notably payment card data – stolen in a breach.
From as early as June 22 to as late as July 17, shoppers who used payment cards at SUPERVALU shops and stand-alone liquor stores may have had information compromised by attackers who gained entry to the SUPERVALU computer network that processes card transactions, according to a release.
Names, payment card numbers, expiration dates, and other numerical information from cards used at POS devices may have been compromised. “The Company has not determined that any such cardholder data was in fact stolen by the intruder, and it has no evidence of any misuse of any such data,” according to a FAQ posted on the website.
The incident impacted SUPERVALU stores operating under the names Hornbacher's, Cub Foods, Cub Foods Liquor Store, Farm Fresh, Shop ‘n Save, and Shoppers Food & Pharmacy in various parts of the country, including several in Minnesota, Virginia, Illinois, Missouri, Maryland and North Carolina.
AB Acquisition LLC – operator of Albertsons, ACME Markets, Jewel-Osco, and Shaw's and Star Market – announced a similar breach on Thursday that it said occurred between the same timeframe. The company is working collaboratively with SUPERVALU to investigate, according to a release.
Among the impacted locations: Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming, and Southern Utah; ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco shops in Iowa, Illinois and Indiana; and Shaw's and Star Markets in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island.
SUPERVALU and AB Acquisition each stated that steps have been taken to secure the breaches and, although an investigation involving forensics experts and law enforcement is ongoing, customers should feel safe shopping at any of the impacted locations.
It is unclear exactly how many payment cards were impacted in the breaches, but both companies are taking steps to notify customers that could have had payment cards compromised, as well as offering them a free year of identity theft protection services.
In a Friday email correspondence, Adam Bosnian, EVP of the Americas with Cyber Ark, told SCMagazine.com that he strongly believes POS devices were compromised by malware. He explained that the attackers likely did this by stealing credentials through phishing and elevating privileges.
“Every business should have controls in place that minimize and eliminate attackers from being able to exploit insider credentials,” Bosnian said, going on to add, “By taking steps like using analytics to determine anomalous privilege behavior, or monitoring all privileged activity, we can get ahead of the breaches before they happen.”
However, preventing these types of incidents from occurring outright might be an impossible task, Bosnian said.
“There are too many threat vectors to eliminate these completely,” Bosnian said. “But what we need [to] do as security professionals [is] make it near impossible for attackers to turn a company's infrastructure against itself. Security needs to start with the assumptions that attackers will get inside – it's what they're able to do once inside that matters.”