Grocery store chain Schnuck Markets Inc. now says about 2.4 million debit and credit cards were likely compromised as a result of a breach of its point-of-sale network back in December (see Retailer Says 'Code' Compromised Cards).
In a statement and timeline of events issued April 15, Schnucks does not say exactly how its network was attacked. But the company confirms that malware designed to access card numbers was discovered on its network - ruling out the possibility that the breach resulted from POS-device tampering or an insider scheme. Schnucks also notes that transactions conducted between Dec. 1 and March 29 at 79 of its 100 stores were affected. Those stores are in Missouri, Illinois, Indiana and Iowa.
"Over the years, technology has helped us deliver superior customer service, but it also introduces risks that we have actively worked to manage through compliance audits, encryption technology and various other security measures," said Scott Schnuck, chairman and CEO, in the April 15 statement.
Schnucks is continuing to work with its payment processor, which it has not named, to ensure the card brands and card-issuing banking institutions are notified of all potentially affected card numbers, according to its statement. "Those banks will then be able to take steps to protect their cardholders, such as adding enhanced transaction monitoring or reissuing a new card. Many banks have already taken these steps."
Malware a Growing Concern
Malware attacks aimed at retailers are a growing concern, says Nick Percoco, senior vice president at Trustwave, which conducts forensic investigations. The malware that strikes retailers is targeted, and not widespread, he says.
"In retail, a good majority of malware we see out there has memory dumping or scraping," Percoco says. "In about 50 percent of all the cases we saw last year, the malware was custom-written. This is malware that is not going to trigger anti-virus systems or software."
Last year, Trustwave investigated 450 retail breaches, and identified only 40 malware variants used in those attacks. "These pieces of malware are very unique, and when you run it, it knows the specific processes of what to look for to discover card information," he says. "When this piece of malware makes its way onto a retail environment, it extracts full track data."
New Details Revealed
On April 7, Schnucks announced in a statement posted online that it had hired forensics investigation firm Mandiant to review its breach and that so far attorneys general in Missouri and Illinois had been notified of the network attack.
On April 15, the company said it initiated its investigation on March 28, and over the next 36 hours worked with Mandiant to contain and block the attack. The grocer says it was notified on March 15 by card brands that fraudulent activity on 12 different credit cards had been linked to Schnucks by card-issuing institutions.
The company also pointed that as of its most recent audit, conducted in November 2012, it was compliance with the Payment Card Industry Data Security Standard.
Avivah Litan, a financial fraud expert and distinguished analyst for consultancy Gartner, says the Schnucks breach is substantial, but it remains unclear exactly how the malware infiltrated the network. "I wish we knew more details beyond what's reported here," she says. "It helps to disclose as much information as possible because people can shore up their defenses better when they know more about attack vectors and hacker techniques. I also would like to know more about why PCI compliance isn't working at these breached entities and retailers."
Lawsuit Claims PII exposed
A class action lawsuit filed against Schnucks on April 8 seeks unspecified damages for consumers affected by the breach, alleging personally identifiable information was exposed, potentially opening those customers to the risk of identity theft (see Schnucks Sued Over Malware Attack).
The suit also claims Schnucks' failure to adequately protect cardholder data exposed customers' personally identifiable information, ultimately resulting in deceptive and unfair practices, which is a violation of Missouri Merchandising Practices Act. As a result, affected cardholders now run the risk of having their identities stolen, the suit argues.
Schnucks has not responded to BankInfoSecurity's request for comment about the claims made in the suit. But in its April 15 statement, the grocer points out that only card numbers and expiration dates may have been accessed during the attack, "not the cardholder's name, address or any other identifying information."
Other Retail Breaches
Earlier this month, a POS-software vulnerability was to blame for a malware attack that exposed hundreds of debit and credit accounts in and around Louisville, Ky. Area card issuers tied fraudulent transactions back to a number of merchants that have one thing in common - the same POS-system remote-access software, said Marjorie Meadors, assistant vice president and head of card fraud prevention for Louisville-based Republic Bank & Trust (see Retailers Attacked by POS Malware).
Although fraudulent transactions so far have only been linked to accounts in Kentucky, the malware has likely affected POS networks and systems in other states as well, experts say.
In February, Bashas' Family of Stores confirmed a breach of its corporate network, which connects 130 locations operating under the Bashas' supermarkets, AJ's and Food City brands. The retailer said it had discovered never-seen-before malware on its network, which allowed attackers to gain access to internal systems and capture sensitive payment information.
In January, the Zaxby's restaurant chain notified federal authorities of a computer system and point-of-sale breach that had affected 108 locations in Florida, Kentucky, Georgia, South Carolina, Alabama, Mississippi, Tennessee, North Carolina, Virginia and Arkansas. While the source of the breach was not disclosed, Zaxby's Franchising Inc. noted that malware and other suspicious files had been found on compromised computer systems at certain locations.
And in October 2012, Barnes & Noble Booksellers confirmed a breach that affected 63 of its locations, from California to Rhode Island. Although Barnes & Noble did not say when it discovered its breach, it confirmed that it had determined through an internal investigation that the compromise was linked to device tampering at stores in California, Connecticut, Florida, Illinois, Maine, New Jersey, New York, Pennsylvania and Rhode Island.