Retailer Investigates Possible Card BreachSchnucks Grocery Chain Says Card Data May Have Been Exposed
The St. Louis-based Schnucks grocery store chain is investigating a possible breach of debit and credit card data.
One card issuer tells BankInfoSecurity it appears likely that a breach occurred at Schnucks or its payments processor. Fraudulent transactions tied to cards used at Schnucks stores date as far back as January, this issuer says.
Customer complaints prompted an investigation into a possible compromise and attack, according to a March 26 statement from Schnuck Markets Inc. The company operates 101 stores in five states.
"Schnucks became aware on March 15 that some customers had noticed unauthorized charges on their card statements for credit cards they used at Schnucks," according to the statement. "Schnucks immediately began to investigate these reports and has engaged outside experts, including a nationally recognized forensic firm, to assist. We are also cooperating with law enforcement authorities."
Company spokesman Paul Simon says he can't confirm if a breach has occurred. The company is not releasing any additional details, such as the name of the forensics firm handling the investigation, he adds.
"Protecting our customers' information is a top priority," the retailer says in its statement. "Unfortunately, reports of credit card fraud are something many retailers have experienced. We want to reassure our customers that we are diligently investigating this matter."
Card Fraud Growing
One executive with an affected card-issuing institution, who asked not to be named, says the card compromises traced to Schnucks continue to grow. So far, fraudulent transactions noted by this institution date back to January.
"The fraud is all over the board," the executive says. "We're seeing it in Illinois, Maryland, Pennsylvania, Wisconsin and Virginia."
The compromised cards affecting this issuer have been limited to Visa credit and signature-debit. No fraud alert or other information related to a possible breach at Schnucks, however, has yet been issued by Visa, the executive adds.
"It may be larger than Schnucks," the executive says. "I think it might be their [local or regional] processor that was breached."
This executive says a network attack aimed at a processor may have exposed the card numbers. So far, this issuer has lost about $10,000 to fraudulent transactions linked to cards used at Schnucks stores.
The issuer also has identified fraudulent transactions at Walmart and Walgreens locations, as well as gas stations, in Illinois, Maryland, Pennsylvania, Wisconsin and Virginia, the executive says. Given the geographic reach of the fraudulent card use, this executive speculates the breach occurred at the processor level.
The institution's fraud-monitoring system, along with cardholder complaints, raised flags and prompted contact with Visa and Schnucks about a possible breach, the executive notes.
"But it's tax-return time, and tracing this kind of fraud is more difficult, since people are out using their cards and spending more money to buy things they would not normally buy," the executive says. "They have tax-return money, so their habits are different. Like going to Walmart - that might be a place they would go to spend tax-return money. The timing of it all has just made it more difficult for the issuers to track and block."
Other Retail Breaches
Other retail breaches have grabbed headlines in recent months.
In February, Bashas' Family of Stores confirmed a breach of its corporate network, which connects 130 locations operating under the Bashas' supermarkets, AJ's and Food City brands. The retailer said it had discovered a never-seen-before malware on its network, which allowed attackers to gain access to internal systems and capture sensitive payment information.
In January, the Zaxby's restaurant chain notified federal authorities of a computer system and point-of-sale breach that had affected 108 locations in Florida, Kentucky, Georgia, South Carolina, Alabama, Mississippi, Tennessee, North Carolina, Virginia and Arkansas. While the source of the breach was not disclosed, Zaxby's Franchising Inc. noted that malware and other suspicious files had been found on compromised computer systems at certain locations.
In October 2012, Barnes & Noble Booksellers confirmed a breach that affected 63 of its locations, from California to Rhode Island. Although Barnes & Noble did not say when it discovered its breach, it confirmed that it had determined through an internal investigation that the compromise was linked to device tampering at stores in California, Connecticut, Florida, Illinois, Maine, New Jersey, New York, Pennsylvania and Rhode Island.
Card issuers are often the first to identify fraud patterns when retailers are breached, as the POS breach at Michaels crafts stores proved in late 2010, experts said at the time. They also are the ones left dealing with the repercussions of subsequent fraud.