AB Acquisition: Breach Impacts 836 StoresAlbertsons, ACME, Jewel-Osco, Other Locations Impacted
In the wake of the Supervalu supermarket data breach, AB Acquisition, which runs five supermarket brands previously owned by Supervalu, says 836 of its stores were impacted by the compromise.
Supervalu confirmed on Aug. 14 that it was investigating a network intrusion that may have resulted in criminals compromising customer data from point-of-sale systems in 180 stores (see: Supermarket Chain Reveals New Breach).
A spokesperson for AB Acquisition confirmed to Information Security Media Group that the compromise affected customers of 836 Albertsons, ACME Markets, Jewel-Osco, Shaw's and Star Markets stores in 21 states. Supervalu is AB Acquisition's third-party IT services provider.
Supervalu sold the 877 stores operating under those five brand names in January 2013 to AB Acquisition, which confirms in an Aug. 14 statement that there has been an "incident involving payment card data processing."
"Third-party data forensics experts are supporting an ongoing investigation," AB Acquisition says. "We have not determined that any cardholder data was in fact stolen, and currently have no evidence of any misuse of any such data. We believe that the intrusion has been contained and are confident that our customers can safely use their credit and debit cards in our stores."
AB Acquisition says the data breach affected Albertsons stores in southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and southern Utah; ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois and Indiana; and Shaw's and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island.
Stores in Arizona, Arkansas, Colorado, Florida, Louisiana, New Mexico, Texas and Northern Utah were not impacted by the breach. "Stores from our 'legacy divisions' were acquired in 2006, and are not part of this incident because they did not receive the same technology upgrades," says Christine Wilcox, vice president of communications and public affairs for Albertsons. United Supermarket stores, which Albertsons acquired in December 2013, also were not impacted since they are on their own systems, Wilcox says.
AB Acquisition FAQ
On Aug. 15, AB Acquisition posted an FAQ to the websites of its various brands detailing the incident.
"[AB Acquisition] has recently learned of an unlawful intrusion to obtain credit and debit card payment information in some of its stores," the FAQ says. "The appropriate federal law enforcement authorities have been notified, and [AB Acquisition] is working closely with ... Supervalu to better understand the nature and scope of the incident."
The intrusion into AB Acquisition's systems potentially compromised names, account numbers, expiration dates or other numerical information. Customers who may have been affected are being offered one year of free identity protection services.
Reactions to New Breaches
News of the Supervalu and AB Acquisition data breaches quickly spread throughout the security community, prompting strong reactions from practitioners, who posted comments to Information Security Media Group sites.
"Both credit unions and banks need to join forces and push hard for enhanced card security features," says one commenter. "EMV 1.0 is a micro step forward at best. We need giant leaps and that too will require some potentially extra steps at payment by customers.
"The FI industry has to share some of the blame for not being more proactive in developing and introducing advanced card and ID verification technologies," the commenter says. "The industry has historically moved at a snail's pace and needs to be in a dead sprint."
Another observer, in response, says the blame shouldn't fall on financial institutions. The problem, instead, has to do with the card brands "who continue to do nothing to advance from 1960s technology while also never holding merchants accountable for card-present transactions or better securing their databases."