Schnucks: Millions of Cards Exposed

Grocery Chain Reveals Impact of POS Network Breach

By , April 16, 2013.
Schnucks: Millions of Cards Exposed

Grocery store chain Schnuck Markets Inc. now says about 2.4 million debit and credit cards were likely compromised as a result of a breach of its point-of-sale network back in December (see Retailer Says 'Code' Compromised Cards).

See Also: The Enterprise at Risk: The 2015 State of Mobility Security

In a statement and timeline of events issued April 15, Schnucks does not say exactly how its network was attacked. But the company confirms that malware designed to access card numbers was discovered on its network - ruling out the possibility that the breach resulted from POS-device tampering or an insider scheme. Schnucks also notes that transactions conducted between Dec. 1 and March 29 at 79 of its 100 stores were affected. Those stores are in Missouri, Illinois, Indiana and Iowa.

"Over the years, technology has helped us deliver superior customer service, but it also introduces risks that we have actively worked to manage through compliance audits, encryption technology and various other security measures," said Scott Schnuck, chairman and CEO, in the April 15 statement.

Schnucks is continuing to work with its payment processor, which it has not named, to ensure the card brands and card-issuing banking institutions are notified of all potentially affected card numbers, according to its statement. "Those banks will then be able to take steps to protect their cardholders, such as adding enhanced transaction monitoring or reissuing a new card. Many banks have already taken these steps."

Malware a Growing Concern

Malware attacks aimed at retailers are a growing concern, says Nick Percoco, senior vice president at Trustwave, which conducts forensic investigations. The malware that strikes retailers is targeted, and not widespread, he says.

"In retail, a good majority of malware we see out there has memory dumping or scraping," Percoco says. "In about 50 percent of all the cases we saw last year, the malware was custom-written. This is malware that is not going to trigger anti-virus systems or software."

Last year, Trustwave investigated 450 retail breaches, and identified only 40 malware variants used in those attacks. "These pieces of malware are very unique, and when you run it, it knows the specific processes of what to look for to discover card information," he says. "When this piece of malware makes its way onto a retail environment, it extracts full track data."

New Details Revealed

On April 7, Schnucks announced in a statement posted online that it had hired forensics investigation firm Mandiant to review its breach and that so far attorneys general in Missouri and Illinois had been notified of the network attack.

On April 15, the company said it initiated its investigation on March 28, and over the next 36 hours worked with Mandiant to contain and block the attack. The grocer says it was notified on March 15 by card brands that fraudulent activity on 12 different credit cards had been linked to Schnucks by card-issuing institutions.

The company also pointed that as of its most recent audit, conducted in November 2012, it was compliance with the Payment Card Industry Data Security Standard.

Avivah Litan, a financial fraud expert and distinguished analyst for consultancy Gartner, says the Schnucks breach is substantial, but it remains unclear exactly how the malware infiltrated the network. "I wish we knew more details beyond what's reported here," she says. "It helps to disclose as much information as possible because people can shore up their defenses better when they know more about attack vectors and hacker techniques. I also would like to know more about why PCI compliance isn't working at these breached entities and retailers."

Lawsuit Claims PII exposed

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE House Passes Cyberthreat Info-Sharing Bill

Legislation to encourage businesses to share voluntarily cyberthreat information with the federal...

Latest Tweets and Mentions

ARTICLE House Passes Cyberthreat Info-Sharing Bill

Legislation to encourage businesses to share voluntarily cyberthreat information with the federal...

The ISMG Network