The Supervalu supermarket chain is investigating a network intrusion that may have resulted in criminals compromising customer data from point-of-sale systems in more than 1,000 stores.
Supervalu says unauthorized access to its systems began not before June 22 and lasted until July 17 at the latest, and may have resulted in the theft of data from 180 Supervalu grocery stores - including franchised stores - as well as standalone liquor stores across seven states.
Supervalu, which is based in Eden Prairie, Minn., earned $34.3 billion in 2013 revenues and is the third-largest food retailer in the U.S., acting as a wholesale supplier to a number of food stores, as well as operating stores under such brand names as Cub, Farm Fresh, Shoppers, Shop 'n Save and Hornbacher's.
The data breach may also have affected customers of 836 Albertsons, ACME Markets, Jewel-Osco, Shaw's and Star Markets stores in 21 states.
"The safety of our customers' personal information is a top priority for us," Supervalu president and CEO Sam Duncan says in an Aug. 15 statement. "The intrusion was identified by our internal team, it was quickly contained, and we have had no evidence of any misuse of any customer data. I regret any inconvenience that this may cause our customers but want to assure them that it is safe to shop in our stores."
Potential Payment Card Theft
The breach potentially compromised payment card numbers, cardholders' names, card expiration dates and "other numerical information," which the company hasn't defined; Supervalu didn't immediately respond to a related request for more information. But that information could refer to track data, including the cards' CVV security codes. The stolen information - especially if it included CVV codes - could be employed by criminals to commit fraud.
Supervalu also says it can't confirm whether intruders stole the payment card data. It also says there's been no evidence to date that any cardholder data, if it was stolen, has been used to commit fraud. Supervalu also says it doesn't know how many customers' card details may have been compromised. It also says it has no idea who committed the attack.
The grocery chain published a list of the 180 affected stores, which are in Illinois, Maryland, Minnesota, Missouri, North Carolina, North Dakota and Virginia.
Supervalu says it's directly notifying any affected customers for which it has contact information, and that the notification contains the same information that's on its website. "We are sending out e-mail and paper mail notices to all customers who are active participants in our stores' customer loyalty program, My CUB Rewards, as we have contact information for these customers," the company says in a data breach FAQ. It says thanks to security remediation efforts, it also believes it's safe for customers to once again use credit and debit cards in its stores.
Digital Forensic Experts Investigating
Based on the information that's been released to date, Supervalu appears to have discovered the breach by July 17, after which it likely locked down the systems or network vulnerabilities exploited by attackers. The company says it immediately contacted U.S. law enforcement agencies and brought in third-party digital forensic investigators. Hence it appears to have taken the company until about four weeks after it discovered the intrusion to identify the scope of the breach, line up and then issue a public data breach notification.
But Supervalu says it's released related, detailed information as quickly as possible. "This press release has not been delayed as a result of law enforcement investigation," it says. "Supervalu has also notified the major payment card brands and is cooperating in their investigation of the intrusion."
Albertsons Confirms Investigation
Customers of Albertsons, Acme Markets, Jewel-Osco and Shaws may have also been affected by the breach. Supervalu sold the 877 stores operating under those four brand names in January 2013 to AB Acquisition, which confirms in an Aug. 14 statement that that there has been an "incident involving payment card data processing."
Supervalu continues to serve as a third-party IT services provider for the stores.
"We know our customers are concerned about the security of their payment card data, and we work hard to protect it," Mark Bates, senior vice president and CIO at AB Acquisition, says in a statement. "As soon as we were notified of the incident, we began working closely with Supervalu to determine what happened. It's important to note that there is no evidence at this point that consumer data has been misused. We understand the inconvenience and concern an incident like this can cause, and we deeply regret that our customers' data was targeted."
Free ID Theft Monitoring
Both Supervalu and AB Acquisition say that any affected customers will be able to sign up for 12 months of free identity theft monitoring with AllClear ID.
AB Acquisition says it plans to post additional breach-related information on its albertsons.com, acmemarkets.com, jewelosco.com and shaws.com websites on Aug. 15. The company says the data breach affects customers of 836 of its stores in total, including its Albertsons stores in southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and southern Utah; ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois and Indiana; and Shaw's and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island.
At a corporate level, Supervalu notes that it holds "insurance for cyber threats, which it believes should mitigate the financial effect of these intrusions on Supervalu, including claims that might be made against the company based on these intrusions." But that claim may be optimistic. Retailer Target, for example, which suffered a massive Dec. 2013 data breach, has so far racked up gross breach expenses of $236 million, of which it expects its cyber insurance policies to cover only $90 million (see Target's Breach Costs Continue to Mount). The Target breach also hit 58 different banks and card issuers with more than $170 million in related expenses by Feb. 2014.
On the other hand, many class-action lawsuits filed against retailers that suffer data breaches, for example against Michaels and Aaron Brothers, have been dismissed for failing to show that consumers suffered monetary losses as a result of the breach.
SuperValu Ireland Not Affected
Of note, this data breach only appears to affect grocery stores in the United States, and doesn't involve an Ireland-based grocer and food distributor also named SuperValu, which is owned by the Musgrave Group. SuperValu in Ireland revealed in Nov. 2013 that it had suffered a data breach that affected 70,000 customers who also used a European holiday loyalty marketing program.