updated 02:21 pm EDT, Sun August 17, 2014
Breaches target 209 Supervalu stores, AB Acquisition stores in 21 states
Last week, supermarket chain Supervalu announced that it discovered an intrusion into part of its computer network, specifically for the portion that processes payments with debit and credit cards. The company believes that card data may have been stolen from 209 of its standard and franchise stores. A day prior, AB Acquisition LLC announced that its systems were breached, but was said it had yet to determine if any cardholder data had been stolen.
Supervalu states that the intrusion "may have resulted in the theft of account numbers, and in some cases also the expiration date, other numerical information and/or the cardholder's name, from payment cards used at some point of sales systems at some of the company's owned and franchised stores." The company is currently working with law enforcement and card processing companies on an investigation into the breach. It can't say with certainty that any information was obtained, but at this time it hasn't seen any evidence of misuse. Supervalu doesn't believe that any other information was stolen.
The breach occurred between June 22 and July 17, taking place across 180 company-owned stores and 29 franchise stores. Affected chains include Cub Foods, Shop n' Save, Shoppers Food & Pharmacy, Farm Fresh and Hornbacher's. The intrusion also extended to franchise Cub Foods stores and some stand-alone liquor stores. Currently, the company doesn't believe that Save-A-Lot stores, or any independent stores, outside of Cub Foods, were affected.
"The safety of our customers' personal information is a top priority for us," said CEO Sam Duncan. "The intrusion was identified by our internal team, it was quickly contained, and we have had no evidence of any misuse of any customer data. I regret any inconvenience that this may cause our customers, but want to assure them that it is safe to shop in our stores."
In the release, Supervalu points out that some Albertsons stores were breached as well, but doesn't believe that it bears any responsibility for losses under the Albertsons banner. The company stated that it only provides IT services to the Albertsons stores, and has been working with them about the intrusions.
AB Acquisition LLC, which runs stores under the Albertsons and Acme market names, is most likely using Supervalu as its outside provider, as it owned a large chunk of Albertsons stores beginning in 2006. Remaining stores would later be sold to a group led by Cerberus Capital Management in 2013, the group that owned the majority of Albertsons stores at the time.
Albertsons states that stores across several states were involved in the system breach, including "Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah." Other store brands from the company where hit as well. Acme Markets in Delaware, Maryland, New Jersey and Pennsylvania; Jewel-Osco stores in Illinois, Indiana and Iowa; Shaw's and Star Markets in Maine, Massachusetts, New Hampshire, Rhode Island and Vermont were all subject to the information breach currently under investigation. The intrusion period is stated as the same time frame as Supervalu's.
"We know our customers are concerned about the security of their payment card data, and we work hard to protect it," said AB Acquisition LLC Chief Information Officer Mark Bates. "As soon as we were notified of the incident, we began working closely with Supervalu to determine what happened. It's important to note that there is no evidence at this point that consumer data has been misused. We understand the inconvenience and concern an incident like this can cause, and we deeply regret that our customers' data was targeted."
The remaining information from the two companies reminds consumers that could be affected to consider options to mitigate any damage that may occur as a result of stolen data. However, they point out that information accessed, including dates, locations and data, could change during the course of the investigation. Any customer that believes their information was at risk during this period can contact either company to receive 12 months of consumer protection services through AllClear ID.
Both Supervalu and Albertsons breaches add to the growing pile of large company data thefts if it is found that cardholder information was indeed stolen. Goodwill Industries International was the last high-profile company targeted, but it is still conducting an investigation that started in late July.