Supervalu Alerts Customers to Potential POS Data Compromise
The Supervalu supermarket chain is investigating a network intrusion that may have resulted in criminals compromising customer data from its point-of-sale systems.
Supervalu says unauthorized access to its systems began not before June 22 and lasted until July 17 at the latest, and may have resulted in the theft of data from 180 Supervalu grocery stores - including franchised stores - as well as standalone liquor stores across seven states.
Supervalu, which is based in Eden Prairie, Minn., earned $34.3 billion in 2013 revenues and is the third-largest food retailer in the U.S., acting as a wholesale supplier to a number of food stores, as well as operating stores under such brand names as Cub, Farm Fresh, Shoppers, Shop 'n Save and Hornbacher's.
The data breach may also have affected customers of an unspecified number of Albertsons, ACME Markets, Jewel-Osco, Shaw's and Star Markets stores in 21 states.
"The safety of our customers' personal information is a top priority for us," Supervalu president and CEO Sam Duncan says in an Aug. 15 statement. "The intrusion was identified by our internal team, it was quickly contained, and we have had no evidence of any misuse of any customer data. I regret any inconvenience that this may cause our customers but want to assure them that it is safe to shop in our stores."
Potential Payment Card Theft
The breach potentially compromised payment card numbers, cardholders' names, card expiration dates and "other numerical information," which the company hasn't defined; Supervalu didn't immediately respond to a related request for more information. But that information could refer to track data, including the cards' CVV security codes. The stolen information - especially if it included CVV codes - could be employed by criminals to commit fraud.
Supervalu also says it can't confirm whether intruders stole the payment card data. It also says there's been no evidence to date that any cardholder data, if it was stolen, has been used to commit fraud. Supervalu also says it doesn't know how many customers' card details may have been compromised. It also says it has no idea who committed the attack.
The grocery chain published a list of the affected stores, which are in Illinois, Maryland, Minnesota, Missouri, North Carolina, North Dakota and Virginia.
Supervalu says it's directly notifying any affected customers for which it has contact information, and that the notification contains the same information that's on its website. "We are sending out e-mail and paper mail notices to all customers who are active participants in our stores' customer loyalty program, My CUB Rewards, as we have contact information for these customers," the company says in a data breach FAQ. It says thanks to security remediation efforts, it also believes it's safe for customers to once again use credit and debit cards in its stores.
Digital Forensic Experts Investigating
Based on the information that's been released to date, Supervalu appears to have discovered the breach by July 17, after which it likely locked down the systems or network vulnerabilities exploited by attackers. The company says it immediately contacted U.S. law enforcement agencies and brought in third-party digital forensic investigators. Hence it appears to have taken the company until about four weeks after it discovered the intrusion to identify the scope of the breach, line up and then issue a public data breach notification.
But Supervalu says it's released related, detailed information as quickly as possible. "This press release has not been delayed as a result of law enforcement investigation," it says. "Supervalu has also notified the major payment card brands and is cooperating in their investigation of the intrusion."