Supervalu Finds Second Data BreachMalware Infections Slam POS Systems In 21 States
Supermarket chain Supervalu has announced a second data breach in recent weeks - one that may have impacted payment cards at checkout lanes at four stores. AB Acquisition, which runs five supermarket brands previously owned by Supervalu, also confirms an intrusion, saying malware may have impacted payment card information at various stores in 21 states.
See Also: The Power and Scale of XDR
The latest incidents follow an August breach that resulted in customer data being compromised at point-of-sale systems at 180 Supervalu grocery stores -- including franchised stores -- as well as standalone liquor stores across seven states (see: Supermarket Chain Reveals New Breach). The August breach may also have affected customers of 836 Albertsons, ACME Markets, Jewel-Osco, Shaw's and Star Markets stores in 21 states (see: AB Acquisition: Breach Impacts 836 Stores).
New Malware Infection
Supervalu says that it recently discovered a separate incident where, in late August or early September, an intruder installed different malware into the portion of its computer network that processes payment card transactions at some of its Shop 'n Save, Shoppers Food & Pharmacy and Cub Foods owned and franchised stores, including some of its associated stand-alone liquor stores.
"[Supervalu] believes this was a separate intrusion from the one announced on Aug. 14," the company says in a Sept. 29 statement. After learning about the incident, the company took steps to secure the affected part of its network and believes it has eradicated the malware from its systems. An investigation into the breach is underway, Supervalu says.
While it was able to remove the malware from its systems, Supervalu believes that the malware may have captured payment card data used at some checkout lanes in four franchised Cub Foods stores in Hastings, Shakopee, Roseville and White Bear Lake, Minn. The reason the malware may have been successful is because implementation of enhanced protective technology from the previous breach had not yet been completed, the company says.
The malware may have been able to steal account numbers, and in some cases also the expiration date, other numerical information and/or the cardholder's name, from cards used at some checkout lanes during the period of Aug. 27 through Sept. 21. "However, [Supervalu] has made no determination that any cardholder data was in fact stolen by the intruder," the company says.
Supervalu, which is based in Eden Prairie, Minn., earned $34.3 billion in 2013 revenues and is the third-largest food retailer in the U.S., acting as a wholesale supplier to a number of food stores, as well as operating stores under such brand names as Cub, Farm Fresh, Shoppers, Shop 'n Save and Hornbacher's.
Following the first breach, Supervalu implemented enhanced protective technology, which it believes significantly limited the newly discovered malware's ability to capture data from payment cards where the malware was installed.
Supervalu says it notified federal law enforcement authorities and is cooperating in their efforts to investigate the matter and identify those responsible.
Since the investigation is still ongoing, Supervalu says it's possible that additional compromised information may be identified in the future.
Supervalu is offering customers who used their payment cards at the four impacted stores during the relevant time periods of compromise one year of free identity theft protection services.
"We care greatly about our customers, and the safety of their personal information will continue to be a top priority for us," says Supervalu president and CEO Sam Duncan. "We've taken measures to install enhanced protective technology that we believe significantly limited the ability of this malware to capture payment card data and we will continue to make these investments going forward."
AB Acquisition also confirms that new malware may have captured payment card information, although it says there's no determination that any card data was in fact stolen.
Customers who may have had their payment cards compromised are being offered one year of free identity theft protection services, AB Acquisition says.
"We sincerely regret that our customers' data was targeted," says Bob Miller, CEO at AB Acquisition. "We are taking appropriate measures to enhance the protection of our customers' payment card data. We are working closely with all parties on the investigation into this incident."
Supervalu sold almost 900 stores operating under five brand names in January 2013 to AB Acquisition.
Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah were impacted. ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey were also affected. In addition, Jewel-Osco stores in Iowa, Illinois and Indiana were impacted, along with Shaw's and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island.
Following the first breach at Supervalu, the supermarket chain was hit with a class action lawsuit (see: Supermarket Chain Reveals New Breach).
In the suit, which was filed in the U.S. District Court for the Southern District of Illinois, the plaintiffs claim Supervalu failed to abide by best practices and industry standards concerning the security of its payment processing systems. Additionally, Supervalu is being accused of failing to notify plaintiffs in a timely manner. The lawsuit states that Supervalu has publicly stated that "approximately 40 million credit and debit card accounts may have been impacted."