US retailer Supervalu is warning customers that an intrusion of its network may have resulted in the theft of credit and debit card numbers from up to 200 of its stores.
In addition, Supervalu said it is investigating a related breach affecting stores owned and operated by AB Acquisition, for which Supervalu provides IT services.
AB Acquisition is owned by a private equity firm that purchased the stores – including Albertson’s, Jewel-Osco, Acme Markets, Shaw’s and Star Market – from Supervalu last year.
All told, the number of stores affected by the breach could be as many as 1,000, according to a report in the Wall Street Journal.
Although Supervalu said it has “no evidence of any misuse of such data,” the company said that credit card numbers “may have been stolen,” and anyone using credit or debit cards at point-of-sale registers between 22 June and 17 July 2014 could be at risk.
In a statement, Supervalu CEO Sam Duncan said the breach was identified and “quickly contained” by the company’s “internal team.”
So how did this compromise of payment card data happen at so many stores?
According to the Wall Street Journal, the breach at Supervalu was the result of malware on the stores’ point-of-sale (PoS) machines – the devices with keypads where you insert or swipe your card.
Criminals target PoS machines with RAM scraper malware because credit card data that’s usually kept secure through encryption is often unencrypted, briefly, in a PoS register’s RAM (Random Access Memory).
According to SophosLabs, which has studied a type of PoS malware that Sophos detects under the family name Trackr, RAM scrapers harvest clear-text payment data and send that information to rogue call-home servers.
This is what happened in the case of Target, which admitted that malware on its PoS registers led to the compromise of 40 million credit and debit card numbers in late 2013.
Supervalu – another Target?
It would be tough to surpass the vast number of payment card numbers and other customer data that Target coughed up during the holiday shopping season last year.
And, to be clear, Supervalu said it has “no evidence” that any customer credit card numbers were actually stolen.
But if the intruders were able to access PoS data from approximately 1,000 stores operated by Supervalu and AB Acquisition, over a period of four weeks – well, one can only speculate how many millions of potential victims there could be.
Supervalu and AB Acquisition are taking precautions – both companies are offering free credit monitoring and are staffing call centers to respond to customer inquiries about the breach.
In a sign that Supervalu is looking to contain any potential fallout from the breach, the company said that “any losses incurred by” AB Acquisition stores “would not be Supervalu’s responsibility.”
And as the investigation into the breach is ongoing, the company said, any information provided by the company about dates, locations and at-risk data related to the breach could change in the future.
Supervalu seems to be hoping for the best but preparing for the worst.