Supermarket Data Breach Exposes 2.4 Million Credit Cards
Midwestern supermarket chain Schnucks may have continued to put customers at risk two weeks after a data breach involving 2.4 million credit and debit cards was brought to the company's attention.
The St. Louis-based chain was alerted to the breach on March 15 by the company's payment processor, which said there had been fraudulent activity on several cards recently used at Schnucks stores.
It wasn't until March 28 that Schnucks, which operates 100 stores in four states, was finally able to locate the security hole. It took another day and a half for the company to contain the breach, which was made public March 30.
In a statement yesterday (April 15) updating customers, Schnucks warned that customers who used their cards at 79 different Schnucks stores between December 2012 and March 29 may have been affected. The company posted a list of affected Schnucks stores on its website; a call center can be reached at 1-888-414-8022.
"I apologize to everyone affected by this incident," the statement quoted CEO Scott Schnuck as saying.
"Technology has helped us deliver superior customer service, but it also introduces risks that we have actively worked to manage through compliance audits, encryption technology and various other security measures," Schnuck said. "Today I make a personal pledge to you that we will be relentless in maintaining the security of our payment-processing system."
The statement noted that only card numbers and expiration dates had been compromised, and that no names or addresses were attached.
Schnucks hired breach-mitigation firm Mandiant on March 19, five days after the supermarket chain had learned of the leak and ruled out an insider or point-of-sale malware as the source.
Even then, it took nine days to fix the flaw. While Mandiant worked to plug the hole, Schnucks' customers' credit-card details continued to be exposed.
Schnucks' statement tried to explain why Schnucks had waited two weeks to notify customers of the data breach.
"A cyber-attack is not like a bank robbery where you know immediately when it occurred and who was affected," the statement said.
"The investigation of a cyber-attack requires painstaking analysis of digital evidence that takes time in order to determine what happened," it continued. "The forensic investigation firm found the first indication of an issue on March 28, we contained the issue by March 30, and we have been working to identify affected stores and card numbers since then."
Schnucks' inability to quickly locate and mitigate the leak may be due to increasingly sophisticated methods on the part of cybercriminals, who pose a growing threat to businesses and consumers alike.
"The fact that the company was unable to locate the source of the breach for so long shows how good attackers are getting at concealing their tracks," Gartner Inc. analyst Avivah Litan told Computerworld.
"What's needed ... is behavioral modeling, base-lining and profiling of all nodes and communication ports in an internal network so that abnormal activity and communications can be detected" quickly, Litan said, "even if the activity is only active a few seconds a week."
Schnucks said it had sent the compromised card numbers to the credit-card companies so that affected accounts could be closely monitored for signs of fraudulent activity.
If you think you've been the victim of a data breach, contact the three major credit-reporting agencies — Equifax, Experian and TransUnion — and place a fraud alert on your account.