SuperValu shoppers at risk after hackers steal credit card details – and other stores affected too

Graham Cluley

Customers who have used their credit cards at a US supermarket chain between June 22nd and July 17th 2014 are being warned to check their bank balances, after it was discovered that criminals had hacked their way into networks and potentially accessed shoppers’ private data.

Supervalu has published a security advisory on its website, warning that cybercriminals broke into the part of its computer network that handles purchases made with payment cards at point-of-sales systems, and may have stolen information including the cardholders’ name, expiration date, account numbers.

Chances are that poorly-protected point-of-sales terminals had been infected by malware, perhaps scraping credit card information from memory as it was temporarily stored unencrypted.

Customers at risk may have shopped at Supervalu stores, including standalone liquor stores operating under the Cub Foods, Farm Fresh, Hornbacher’s, Shop ’n Save and Shoppers Food & Pharmacy brands.

In addition, during the at-risk period, people who shopped at 29 franchised Cub Food stores and standalone liquor stores may be at risk.

And, unfortunately, the impact doesn’t stop there.

It appears that payment card information could also have been stolen from customers who shopped at Albertson’s, Acme, Jewel-Osco and Shaw’s stores. These chains are all operated by AB Acquistion, to whom Supervalu provides IT services.

Supervalu is keen to persuade customers that it is safe to carry on using credit and debit cards in its stores.

“The safety of our customers’ personal information is a top priority for us,” said Supervalu President and CEO Sam Duncan. “The intrusion was identified by our internal team, it was quickly contained, and we have had no evidence of any misuse of any customer data. I regret any inconvenience that this may cause our customers but want to assure them that it is safe to shop in our stores.”

The supermarket chain says it has informed federal law enforcement, in the hope that the perpetrators of the hack can be identified and brought to justice.

That’s the right thing to do, and it appears that Supervalu has acted fairly quickly in informing the public about the problem, rather than attempting to sweep the bad news under the carpet.

Of course, stories like this do nothing for consumer confidence and recent attacks like the huge data breach at Target which also (if you’ll excuse the pun…) targeted point-of-sales systems, saw tens of millions of card numbers, email addresses and phone numbers stolen and showed that shoppers can be badly shaken by news of hacks.

The impact of the Target breach is still being felt by the company, whose share price took a tumble and whose CEO and security chief ended up losing their jobs as a result of the hack.

Once again questions will be asked as to whether a major retailer was taking enough care to protect its customers’ data from determined hackers, or whether they were treating PCI data security standards as an end goal rather than a starting point.

This article originally appeared on the Optimal Security blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.