According to the latest statement issued by Save Mart, the skimming attack targeted self-service checkout terminals at 24 Save Mart and Lucky Supermarkets in the San Francisco Bay area. Save Mart owns and operates more than 233 stores in Northern California.
This is the first confirmation that Save Mart's breach was the result of a skimming attack. Previous statements have offered scant details about the incident.
In late November, Save Mart issued a consumer advisory, warning customers about card-reader breaches at 20 of its stores. In December, Save Mart confirmed that at least 80 employees and customers had reported account compromises.
Save Mart's chief financial officer Stephen Ackerman, in a Dec. 5 statement, said the company believed cards used during the months of October and November were likely exposed. But few other details were released.
Now, after working with the Secret Service as part of an ongoing investigation, Save Mart says it has uncovered what it calls a high-tech credit- and debit-card skimming scheme. So far, compromised card data has been traced to use at single checkout lanes at each of the 24 affected stores. As a precautionary measure, however, the company has replaced or inspected all of its 2,557 POS card readers, which includes self-checkout and staffed checkout lanes, in all of its stores in Northern California and Northern Nevada. "This not only includes Lucky Supermarket stores, but inspections at Save Mart, S-Mart Foods, Maxx Value Foods and FoodMaxx stores that are also owned by Lucky Supermarkets' parent company, Save Mart Supermarkets," the company says.
Routine Inspections Identified Breach
A similar breach, which in May was discovered at POS systems in 20 Michaels crafts stores, highlights the vulnerabilities of retail checkout systems. But, unlike the Michaels compromise, which was discovered after card issuers' fraud-detection systems linked compromised cards back to Michaels, the Save Mart breach was uncovered during a routine maintenance check.
Julie McNelley, research director at Aite Group who focuses on financial fraud, says both incidents reinforce the need for physically inspecting card readers and payments devices. "We have seen many banks deploy this practice for their ATMs as well," she says.
But there is no silver bullet.
John Buzzard of FICO's Card Alert Service says retailers and banks, as card issuers, have to rely on detection systems as well as physical inspections. In the Save Mart breach, FICO identified 12 of the initially compromised locations, once fraudulent ATM withdrawals started hitting cardholder accounts on Dec. 2.
"FICO Card Alert Service sent out compromised card reports to all affected issuers during the first week of December, so that card issuers had an opportunity to identify and manage the risk directly associated with this type of counterfeit card fraud," Buzzard says. "The card issuer's aggressive blocking and reissuance of cards related to this case truly made a huge dent in the amount of losses experienced."
Buzzard says banking institutions that took proactive action to identify high-risk cards linked to those Save Mart and Lucky locations substantially limited their losses. In the Michaels breach, FICO also identified at-risk cards linked to 70 Michaels locations in 18 states.
"It really takes the combined efforts of FIs [financial institutions], merchants and consumers to proactively detect and mitigate the impact of these attacks," McNelley says. "Many FIs have sophisticated analytics deployed to look for these types of breaches, but it takes a number of losses that are detected by consumers in order to have enough of a pattern to identify a common point of compromise. Lucky was fortunate that they didn't have to wait for these types of analytic routines to create a trail that led back to its stores, or the impact of the breach could have been great."
Save Mart says it has notified all potentially affected customers and their card-issuing financial institutions to be on the lookout for suspicious card activity.
"[Save Mart and] Lucky Supermarkets' merchant-services provider has completed the release of all transaction data from the compromised self-checkout lanes to financial institutions so that they will be able to identify affected consumers and protect consumers' accounts from unauthorized transactions," the statement says.