Schnucks, a St. Louis-based grocery store chain that announced March 26 it was investigating a potential breach, has now confirmed "malicious computer code" captured details from a yet-to-be-determined number of credit and debit cards (see Retailer Investigates Possible Card Breach).
On March 30, Schnucks issued a statement confirming that a forensics firm it hired had discovered malicious computer code within the grocery chain's payments system that had been used to capture payment data stored on the magnetic stripes of credit and debit cards of customers shopping at its stores.
"After an extensive review, we confirmed that Schnucks was the victim of a cyber-attack," the retailer's chairman and CEO, Scott Schnuck, says in the statement. "We are cooperating with law enforcement, the Missouri Attorney General's Office, and the credit card companies to determine the scope and magnitude of this crime and apprehend those individuals making fraudulent purchases.
The retailer, which has 100 stores in five states, acknowledged March 26 that customer complaints about fraud linked to payment cards used at its stores prompted it to launch an investigation into a possible compromise and attack.
Now the company says it has contained the attack and has taken comprehensive measures to block the code from gaining access to payment data collected by Schnucks.
"We have been told by the computer forensics expert that the security enhancements we have implemented in the last 48 hours are designed to block this attack from continuing," he adds. "Our customers can continue using credit and debit cards at our stores."
Schnucks says it's working with forensics experts to determine the breadth of the breach and the number of cards affected.
What remains unclear is whether the attack was waged against POS devices or the Schnucks network. The retailer also has not revealed what security measures it implemented to contain the attack. Schnucks did not respond to BankInfoSecurity's request for clarifications related to the attack and the investigation.
Malware Behind Retail Attack
Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner Research, believes malware was involved in the attack.
"Whether or not Schucks calls it malware, it is malware, unless the heist was totally hardware/firmware based, which is highly doubtful, or carried out manually," Litan says. "Coming on the heels of Bashas', it certainly does raise questions as to whether or not it's the same gang, and if more attacks against supermarkets are in store."
In February, Bashas' Family of Stores confirmed a breach of its corporate network, which connects 130 locations operating under the Bashas' supermarkets, AJ's and Food City brands. The retailer said it had discovered never-seen-before malware on its network, which allowed attackers to gain access to internal systems and capture sensitive payment information.
"Supermarkets are relatively easy targets, given the dense foot traffic, multiple checkout lanes and millions of shoppers that go through them at all hours," Litan says.
PCI Compliance Questioned
Litan, however, says the greater question is whether compliance with the Payment Card Industry Data Security Standard is adequately addressing card risks. Neither Schnucks nor Bashas' indicated whether they were PCI compliant at the time of their breaches. But Litan says retailers of this size have to ensure PCI compliance, and they invest thousands of dollars annually to ensure compliance is maintained. The problem: Despite checkbox compliance, these retailers are still getting breached, she says.
"Is PCI compliance enough to stop these heists?" Litan asks. "The answer is obviously no. The attacks continue to succeed against PCI-compliant companies, a phenomenon that is incredibly frustrating to companies that spend millions of dollars to secure their systems for PCI."
In January, the Zaxby's restaurant chain notified federal authorities of a computer system and point-of-sale breach that had affected 108 locations in Florida, Kentucky, Georgia, South Carolina, Alabama, Mississippi, Tennessee, North Carolina, Virginia and Arkansas. While the source of the breach was not disclosed, Zaxby's Franchising Inc. noted that malware and other suspicious files had been found on compromised computer systems at certain locations.
In October 2012, Barnes & Noble Booksellers confirmed a breach that affected 63 of its locations, from California to Rhode Island. Although Barnes & Noble did not say when it discovered its breach, it confirmed that it had determined through an internal investigation that the compromise was linked to device tampering at stores in California, Connecticut, Florida, Illinois, Maine, New Jersey, New York, Pennsylvania and Rhode Island.