Shaw’s Supermarkets and its sister retailers were targeted as part of a large-scale hacking scheme that may have led to the theft of customer credit and debit card data, the company’s former owner said.
Minneapolis-based Supervalu Inc., which sold Shaw’s in 2013 but still provides technology services to the grocery chain, said in a news release that its payment-processing data was accessed by hackers sometime between June 22 and July 17.
“This criminal intrusion may have resulted in the theft of account numbers, and in some cases also the expiration date, other numerical information and/or the cardholder’s name, from payment cards used at some point of sale systems at some of the company’s owned and franchised stores,” the release said.
Supervalu reported that the breach may have affected as many as 200 of its grocery and liquor stores. It also potentially affected retail chains sold recently by the company, including Shaw’s, which was founded in Portland in 1860 and has 22 stores in Maine.
Hackers accessed a network that processes Supervalu transactions, meaning account numbers, expiration dates, card holder names and other information might have been stolen, the company said. Those systems are still being used by the stores sold off by Supervalu last year for $3.3 billion, potentially opening up a customer data breach at those stores as well.
Supervalu and Boise, Idaho-based AB Acquisition, which operates Shaw’s, Albertsons and other retail brands, said they took immediate steps to secure their network.
“As soon as we were notified of the incident, we began working closely with Supervalu to determine what happened,” said Mark Bates, senior vice president and chief information officer at AB Acquisition. “It’s important to note that there is no evidence at this point that consumer data has been misused.”
The cards from which data may have been stolen were used at 180 Supervalu stores and liquor stores run under the Cub Foods, Farm Fresh, Hornbacher’s, Shop ‘n Save and Shoppers Food & Pharmacy names. Data also may have been stolen from 29 franchised Cub Foods stores and liquor stores. Those stores in North Dakota, Minnesota, Illinois, Virginia, North Carolina, Maryland and Missouri.
Supervalu said that a related criminal intrusion occurred at the chain stores it sold to Cerebus Capital Management LP in March 2013, stores that Supervalu continues to supply with information technology services.
Those stores include Albertsons, Acme, Jewel-Osco, Shaw’s and Star Market – and related Osco and Sav-on in-store pharmacies in two dozen states.
AB Acquisition believes the intrusion has been contained and is confident customers can safely use credit and debit cards in its stores.
Supervalu and AB Acquisition are offering customers whose cards may have been affected a year of consumer identity protection services via AllClear ID.
Supervalu also has set up a call center to help answer customer questions about the data breach and the identity protection services being offered. The call center can be reached at (855) 731-6018. Customers also can visit Supervalu’s website under the Consumer Security Advisory section to get more information about the data breach and the identity protection services.
The retail industry is striving to make credit and debit cards more secure following a rash of security breaches in recent months.
Target Corp. said this month that expenses tied to a breach leading up to last year’s holiday shopping season could reach $148 million. The incident led to a major shakeup at the company, including the resignation of CEO Gregg Steinhafel.
Shortly after the Target breach was announced, cyber criminals began offering millions of credit and debit card numbers for sale that were stolen from Target customers, including thousands in Maine.
In January, two underground websites selling stolen card numbers listed a combined 5,650 card numbers, security codes, expiration dates and card holder names that were stolen from Target stores in Augusta, Bangor, Biddeford, Topsham and South Portland.
Another breach that affected thousands of Maine consumers occurred in 2008, when roughly 300 Hannaford Supermarkets stores were infected with malicious software that facilitated the theft of about 4.2 million credit and debit card numbers in New England.
Many lawsuits against Hannaford followed. But rulings by the Maine Supreme Judicial Court and the First Circuit Court of Appeals limited valid claims against Hannaford to negligence and breach of implied contract. The damages were limited to out-of-pocket expenses from customer attempts to minimize their financial losses.
In 2013, the U.S. District Court for the District of Maine denied a group of plaintiffs class-action status in a lawsuit resulting from the data breach.
Restaurant operator P.F. Chang’s confirmed in June that data from credit and debit cards used at its restaurants were stolen.
There have been smaller breaches at Neiman Marcus and Michaels Stores Inc.
Eugene Slobodzian, a data security expert at Winxnet in Portland, said retailers can incur huge expenses improving their information security following a data breach.
There is no fool-proof method to prevent data theft altogether, he said. The key is to detect it and notify customers as quickly as possible.
“These breaches, they will happen,” Slobodzian said. “It’s really just a matter of when, not if.”
As the size, scope and complexity of customer data theft continue to increase, retailers need to ensure that they have strict security programs and policies in place, he said.
Most successful hacks begin with the release of malicious software – intentionally or unintentionally – from within the affected company, Slobodzian said.
Teaching employees proper security procedures such as not opening unknown email attachments can reduce the risks.
Compared with other recent data breaches, Supervalu and AB Acquisition responded relatively quickly to the hacking incident, Slobodzian said.
“A month to notify customers isn’t bad,” he said.