Two of the nations largest supermarket chains, Albertsons and SuperValu, announced last week that the two companies have suffered a devastating data breach of credit and debit card information in more than 18 states.
Supervalu, Minnesota-based supermarket announced that an unknown number of customers have had their payment credentials compromised between June 22 and July 17. Attackers gained access to Supervalu’s computer network that processes the card transaction details.
Cybercriminals may have been able to obtain names, credit or debit card numbers, expiration dates, and other sensitive data withheld on the card that point-of-sale (PoS) devices require to allow a payment.
“The Company has not determined that any such cardholder data was in fact stolen by the intruder, and it has no evidence of any misuse of any such data, but is making this announcement out of an abundance of caution,” SuperValu said in a press release.
Supervalu also operates a number of large companies such as Cub Foods, Hornbacker’s, Farm Fresh, Shoppers Food & Pharmacy, and Shop ’n Save, in a number of states including Illinois, Maryland, Minnesota, Missouri, North Carolina, Virginia, and more.
Included in the Supervalu breach, hackers struck Albertsons, Acme Markets, Jewel-Osco, Shaw’s and Star Markets, and a number of brands in nearly 24 states.
AB Acquisition LLC, the parent company to Albertsons, Acme Markets, Jewel-Osco, Shaw’s and Star Market published a press release that they also suffered a data breach nearing the same time frame as Supervalus and their sub-companies.
AB Acquisition LLC has notified proper law enforcement agencies and is working alongside Supervalu which they note as “its third party IT services provider,” to investigate the attack.
“Third-party data forensics experts are supporting an ongoing investigation. AB Acquisition has not determined that any cardholder data was in fact stolen, and currently it has no evidence of any misuse of any such data,” AB Acquisition LLC said in a press release.
AB Acquisition LLC published that Albertsons stores in California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah were affected by the data breach. In hindsight, stores in Arizona, Arkansas, Colorado, Florida, Louisiana, New Mexico, Texas and two Super Saver Foods Stores in Northern Utah were not affected.
Too add, ACME markets were affected in their Pennsylvania, Maryland, Delaware and New Jersey stores. Jewel-Osco stores in Iowa, Illinois and Indiana were affected. Shaw’s and Star markets in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island were as well affected in the data breach.
Neither companies revealed any data on how cybercriminals managed to gain access to their networks, but given the recent outbreak in point-of-sale (PoS) malware, conclusions can be drawn. Large retailers including Target, Neiman Marcus, P.F. Changs, and an unsettling amount of others have been affected with similar attacks.
It is unclear how much payment data was stolen during the twenty six day attack, but the affected companies are contacting customers that were believed to be affected in the attack, as well as offering them one year of credit protection and monitoring services, which appears to be standard when large retailers are breached.
Supervalu’s press release stated that the company “took immediate steps to secure the affected part of its network. Supervalu believes the intrusion has been contained and is confident that its customers can safely use their credit and debit cards in its stores.”
Both companies have stated that no evidence of stolen payment information begin abused has been recorded for the time begin, but if the data is stolen, it will only be a short time before it begins appearing on underground markets.
Payment information is commonly sold on popular underground carding forums known for their black market services. Brian Krebs, security expert, commonly exposes the owners of these underground black markets and has gained access to them on numerous occasions exposing them on the inside.
We can only assume it will be a short time before this payment data begins appearing on underground forums.