Retailer Says 'Code' Compromised Cards

Schnucks Confirms Attack Against Debit, Credit Data

By , April 2, 2013.
Retailer Says 'Code' Compromised Cards

Schnucks, a St. Louis-based grocery store chain that announced March 26 it was investigating a potential breach, has now confirmed "malicious computer code" captured details from a yet-to-be-determined number of credit and debit cards (see Retailer Investigates Possible Card Breach).

See Also: The Evolution of Advanced Malware

On March 30, Schnucks issued a statement confirming that a forensics firm it hired had discovered malicious computer code within the grocery chain's payments system that had been used to capture payment data stored on the magnetic stripes of credit and debit cards of customers shopping at its stores.

"After an extensive review, we confirmed that Schnucks was the victim of a cyber-attack," the retailer's chairman and CEO, Scott Schnuck, says in the statement. "We are cooperating with law enforcement, the Missouri Attorney General's Office, and the credit card companies to determine the scope and magnitude of this crime and apprehend those individuals making fraudulent purchases.

The retailer, which has 100 stores in five states, acknowledged March 26 that customer complaints about fraud linked to payment cards used at its stores prompted it to launch an investigation into a possible compromise and attack.

Now the company says it has contained the attack and has taken comprehensive measures to block the code from gaining access to payment data collected by Schnucks.

"We have been told by the computer forensics expert that the security enhancements we have implemented in the last 48 hours are designed to block this attack from continuing," he adds. "Our customers can continue using credit and debit cards at our stores."

Schnucks says it's working with forensics experts to determine the breadth of the breach and the number of cards affected.

What remains unclear is whether the attack was waged against POS devices or the Schnucks network. The retailer also has not revealed what security measures it implemented to contain the attack. Schnucks did not respond to BankInfoSecurity's request for clarifications related to the attack and the investigation.

Malware Behind Retail Attack

Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner Research, believes malware was involved in the attack.

"Whether or not Schucks calls it malware, it is malware, unless the heist was totally hardware/firmware based, which is highly doubtful, or carried out manually," Litan says. "Coming on the heels of Bashas', it certainly does raise questions as to whether or not it's the same gang, and if more attacks against supermarkets are in store."

In February, Bashas' Family of Stores confirmed a breach of its corporate network, which connects 130 locations operating under the Bashas' supermarkets, AJ's and Food City brands. The retailer said it had discovered never-seen-before malware on its network, which allowed attackers to gain access to internal systems and capture sensitive payment information.

"Supermarkets are relatively easy targets, given the dense foot traffic, multiple checkout lanes and millions of shoppers that go through them at all hours," Litan says.

PCI Compliance Questioned

Litan, however, says the greater question is whether compliance with the Payment Card Industry Data Security Standard is adequately addressing card risks. Neither Schnucks nor Bashas' indicated whether they were PCI compliant at the time of their breaches. But Litan says retailers of this size have to ensure PCI compliance, and they invest thousands of dollars annually to ensure compliance is maintained. The problem: Despite checkbox compliance, these retailers are still getting breached, she says.

"Is PCI compliance enough to stop these heists?" Litan asks. "The answer is obviously no. The attacks continue to succeed against PCI-compliant companies, a phenomenon that is incredibly frustrating to companies that spend millions of dollars to secure their systems for PCI."

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Police Disrupt Banking Malware Botnet

Authorities have disrupted a botnet that was serving up the Ramnit banking malware, which has...

Latest Tweets and Mentions

ARTICLE Police Disrupt Banking Malware Botnet

Authorities have disrupted a botnet that was serving up the Ramnit banking malware, which has...

The ISMG Network