Malware Strikes Albertsons, Supervalu in New Data Breach


It’s the latest, but it won’t be the last.

That’s what one digital security expert is saying about the latest data breach reported by grocers Supervalu Inc. and New Albertsons, in which new malware was discovered separate from a similar incident revealed in August.

Tom Field, VP of editorial for Information Security Media Group, a Princeton, N.J.-based global media company, said he believes hackers likely planted the latest malware during a “window of vulnerability” while the companies were repairing the original breach.

“The sad thing is, this won’t be the last one,” Field told Progressive Grocer, referring to a string of highly publicized data breaches at retailers including Target and Home Depot. “The big cost is not what it costs to mitigate the breach. It’s a reputational hit. You’re going to have people getting [credit and debit] cards replaced for the second or third time, wondering if it’s safe to shop there.”

Four Cub Stores Compromised

Minneapolis-based Supervalu said a hacker, in late August or early September, installed malware into the portion of its computer network that processes payment card transactions at some of its Shop ’n Save, Shoppers Food & Pharmacy and Cub Foods owned and franchised stores, including some of its associated stand-alone liquor stores. Company officials believe this was a separate intrusion from the one announced Aug. 14.

Supervalu said it has eradicated the malware, further stating that it believes enhanced protective technology significantly limited its ability to capture data from payment cards where the malware was installed, believed to be the checkout lanes at four Cub Foods franchised locations in Minnesota where enhanced security had not yet been installed.

The company said it believes the malware was not successful in capturing data from payment cards used at any stores other than at some checkout lanes at these four Cub stores, and cannot confirm that data was in fact stolen from those locations. While the investigation is ongoing, Supervalu said it believes malware was not installed at any of its Farm Fresh or Hornbacher’s stores, any of its owned or licensed Save-A-Lot stores or any of the independent grocery stores supplied by the company through its Independent Business network.

“We care greatly about our customers, and the safety of their personal information will continue to be a top priority for us,” said Supervalu President and CEO Sam Duncan. “We’ve taken measures to install enhanced protective technology that we believe significantly limited the ability of this malware to capture payment card data and we will continue to make these investments going forward.”

Albertsons Impacted Due to IT Link

Meanwhile, Boise, Idaho-based AB Acquisition LLC, which operates Albertsons stores under Albertson’s LLC and Acme Markets, Jewel-Osco, and Shaw’s and Star Markets under New Albertson’s Inc., may have been impacted by this latest incident because Supervalu – which sold these banners to Albertsons in March 2013 – still provides third-party IT services to the grocer. These Albertsons banners were similarly impacted by the breach reported in August.

The third-party IT services are part of a transition services agreement between the companies, which also includes some finance, real estate and human resources functions. Launched upon Supervalu’s sale of the above banners to Albertsons, the 30-month agreement was scheduled to expire in September 2015 but has since been extended another year, according to Supervalu spokesman Jeffrey Swanson.

Because the point of sale systems are different across AB Acquisition divisions, Albertsons stores in Arizona, Arkansas, Colorado, Florida, Louisiana, New Mexico and Texas, and two Super Saver Foods Stores in Northern Utah were not impacted by this incident.

However, Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah were impacted. In addition, Acme Markets in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois and Indiana; and Shaw’s and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island were affected by this new incident.

“We take our responsibility to protect our customers’ payment card data seriously,” said Bob Miller, AB Acquisition’s CEO. “We sincerely regret that our customers’ data was targeted. As a company, our decisions are always focused on what is best for our customers, and we know this issue has inconvenienced them and caused concern. We are taking appropriate measures to enhance the protection of our customers’ payment card data. We are working closely with all parties on the investigation into this incident.”

Field, the digital security expert, said he expects consumers are at the point of thinking “enough is enough” when it comes to data security at retailers.

“Every day, there’s something new,” he said. “I don’t want to say consumers have to get used to it, but that’s where we’re at right now with magnetic stripe cards.”

Embedded chip technology, widely used abroad, is more secure, but U.S. businesses have been slow to convert, due to the infrastructure expenses. Credit card companies are moving toward the new technology, but “the issue is the merchants,” Field said, “switching their technology from magnetic stripe to chip. That’s going to be the new obstacle. But I think each breach pushes them further towards making that investment.”

In the meantime, Field warns, consumers should brace themselves for the next security alert.

“I’m sure there are other organizations that have been breached,” he said. “We just haven’t heard about it yet.”

This ad will auto-close in 10 seconds