The compromise of hundreds of payment cards, apparently tied to fraud worldwide, has been linked to a network hack affecting Arizona-based supermarket chain Bashas' Family of Stores.
An executive with a card-issuing institution that serves the West Coast, who asked not to be named, says fraudulent transactions linked to the Bashas' breach have shown up in international markets. "From what we are seeing, this is a corporate breach that is very active with fraud occurring worldwide," the executive says.
Banking institutions have been tracking suspicious card activity for weeks that they recently traced back to cards used at a Bashas' location, the executive says.
Law enforcement officials in Arizona say the breach may date back to late 2012. One breach expert says attackers likely sold stolen card data on an underground forum. And executives at Bashas' says new malware is behind the attack.
On Feb. 5, Bashas' confirmed a breach of its corporate network, which likely exposed debit and credit card numbers used at one or more of Bashas' 130 locations in Arizona, which include Bashas' supermarkets, AJ's and Food City.
"We were recently the victim of a cyberattack by highly sophisticated criminals who gained access to parts of our systems to capture payment information," the company revealed in its Feb. 5 breach statement. "Bashas' is and has been compliant with all Payment Card Industry (PCI) security requirements. However, we recently located and removed a highly sophisticated piece of malware that has never been seen before in the industry.
"The malware has been identified and contained, and we are working with forensic specialists and federal law enforcement officials in their investigation to find those responsible," the company states.
Bashas' says it has installed additional security measures, beyond what is required by PCI, to its point-of-sale and enterprise systems to enhance protections for customer information.
Details about the breach remain sketchy, says Bashas' spokeswoman Kristy Jozwiak.
"We've gotten some calls about the issue, and so we've made the announcement to encourage our customers to monitor their accounts and notify their bank if they notice any suspicious transactions," she tells BankInfoSecurity.. "We are working with federal law enforcement officials and local enforcement officials and agencies now to share what we've learned and to investigate the breach."
Sam Imandoust, a legal analyst with the California-based Identity Theft Resource Center, which tracks breaches and assists consumers with ID theft protection, portrays the breach as a "strategic event."
"It seems there was a breach of information and that information has been sold," he says. "It does not seem the hackers themselves just got the numbers and then used them for purchases. This was a more strategic event."
Even before Bashas' confirmed the breach, local law enforcement in Arizona had traced fraud activity back to Bashas', Imandoust says.
In a news release issued Feb. 1, Lake Havasu City police warned consumers to monitor their accounts if they had used credit or debit cards at a Bashas' location within the last two weeks.
"Detectives within the Criminal Investigations Bureau at the Lake Havasu City Police Department have been collecting the multitude of reports and reviewing victims' account activity in an attempt to locate a common source," the news release states. "After analyzing the reports they have found a common nexus of transactions to have occurred at either Bashas' or Food City. ... The breach appears to be at the corporate level and not locally initiated. The office of the Federal Bureau of Investigation has also been made aware of this information."
Consumers responded to the police announcement by posting comments on a community Facebook page about fraud they suspected resulted from using their cards at Bashas', Imandoust says.
"Just reading through the responses, these cards are being used all over the place," he says. "The fraud is not isolated, so it seems like the numbers were probably sold. One post says a card was used at a store in Texas, and there are other posts that suggest this is pretty big."
When Did Breach Occur?
Sgt. Troy Stirling, a spokesman for the Lake Havasu City police, tells BankInfoSecurity that some fraudulent transactions date back to December, suggesting the breach likely occurred last year. "Most of the victims used their card at one of stores in the last two weeks, but we did have some cases that went back further," he says. "We're definitely probably pushing over 300 reports that we've taken from actual victims, and that's just our jurisdiction."
Police departments in nearby communities have received similar reports, Stirling says. "Our detectives have been in contact with neighboring jurisdictions and they have been overwhelmed by reports coming in to them as well," he says. "They are just now getting fraud reports en masse."
Stirling says local investigators began connecting the dots because banking institutions were detecting fraudulent or suspicious transactions, in some cases, even before consumers notified them. "With most of the transactions coming in, the banks were detecting the fraud quicker, or just as quick, as cardholders," he says. "The banks were the first to start noticing the patterns."
Other Retail Breaches
In January, Zaxby's restaurant chain notified federal authorities of a computer system and point-of-sale breach that had affected 108 locations in Florida, Kentucky, Georgia, South Carolina, Alabama, Mississippi, Tennessee, North Carolina, Virginia and Arkansas. While the source of the breach was not disclosed, Zaxby's Franchising Inc. noted that malware and other suspicious files had been found on compromised computer systems at certain locations.
Those compromised systems were discovered during an internal forensics investigation the restaurant chain initiated after several of its locations were identified as commons points of purchase for payment cards linked to fraudulent activity.
In October 2012, Barnes & Noble Booksellers confirmed a breach that affected 63 of its locations, from California to Rhode Island. Although the company did not say when it discovered the breach, it revealed that it had determined through an internal investigation that the compromise was linked to device tampering at stores in California, Connecticut, Florida, Illinois, Maine, New Jersey, New York, Pennsylvania and Rhode Island.
When news of the Barnes & Noble attack became public, card issuers said they had been monitoring fraudulent activity linked to the bookseller's breach since the spring, relying on high-level cross-channel detection.
Card issuers are often the first to identify fraud patterns when retailers are breached, as the POS breach at Michaels crafts stores revealed in late 2010. Issuers also must deal with the repercussions of subsequent fraud.
"When merchants are compromised, that really adversely affects the banks and credit unions," data-breach expert Wade Baker, managing principal at Verizon Business, told BankInfoSecurity at the time of the Barnes & Noble announcement.