Four days after the company that handles payment processing for Shaw’s supermarkets announced a potential security breach, customers in Maine were still waiting to find out whether their credit and debit card information was stolen.
On Thursday, Minneapolis-based Supervalu Inc., which sold Shaw’s in 2013 but still provides technology services to the grocery chain, said in a news release that its payment-processing data was accessed by hackers sometime between June 22 and July 17.
It said the criminal intrusion “may have resulted in the theft of account numbers” and other customer data. It is not yet known if any customer data actually was stolen, and so far no card data has shown up for sale on black market websites, the company said.
On Monday, a Shaw’s spokeswoman said the company did not have any new information to provide about the potential breach.
“Not at this time,” spokeswoman Christine Wilcox said via email.
Supervalu reported that the breach may have affected as many as 200 of its grocery and liquor stores. It also potentially affected retail chains sold recently by the company, including Shaw’s, which was founded in Portland in 1860 and has 22 stores in Maine.
Hackers accessed a network that processes Supervalu transactions, meaning account numbers, expiration dates, card holder names and other information might have been stolen, the company said. Those systems are still being used by the stores sold off by Supervalu last year for $3.3 billion, potentially opening up a customer data breach at those stores as well.
Supervalu and Boise, Idaho-based AB Acquisition, which operates Shaw’s, Albertsons and other retail brands, said they took immediate steps to secure their network.
Both companies have been silent on the issue since last week. Martha Currier, the Office of the Maine Attorney General’s consumer protection division complant examiner, said the companies have not yet provided any information to state officials.
While retailers are required to provide notice of data breaches to the attorney general’s office, Currier said, there is no set time frame for the disclosure.
“Nothing in state statute says they have to report anything within a certain number of weeks or months,” she said.
Neither the attorney general’s office nor the state Bureau of Consumer Credit Protection had received any complaint calls from Shaw’s customers in Maine as of Monday, state officials said.
But officials within the Maine Department of Professional and Financial Regulation issued a release Monday evening reminding consumers to check their credit and debit card statements and to contact the issuing financial institution if questionable charges appear. Staff is also available to provide information and guidance to consumers.
In addition, they recommended that if consumers have online access to their credit or debit card information, they should review account activity as soon as possible, rather than waiting for the statement to arrive in the mail.
Consumers are protected under state and federal law from unauthorized credit or debit card use. Liability for unauthorized use of a credit card is limited to $50, but if account numbers have been stolen, consumers have no liability for unauthorized use.
With debit cards, consumers have 60 days from the time when their financial institution sends a statement to report unauthorized activity. If they fail to notify the bank or credit union within that span of time, they are liable for the unauthorized transactions. State officials recommend debit card holders act immediately if they notice unauthorized withdrawals.
For more information, contact the Bureau of Financial Institutions at 800-965-5235, or the Bureau of Consumer Credit Protection at 800-332-8529.
CORRECTION: This story was updated at 3:31 p.m. on Aug. 19 to correct Martha Currier’s title.