At five of its stores, Stop & Shop discovered an illegally installed device that skims information from payment cards
The Stop & Shop Supermarkets Co. LLC has told customers that a device that skims information from payment cards was illegally installed at checkouts in five of its stores in Connecticut, Massachusetts and New Jersey on various dates ranging from February to April.
“Immediately upon learning of the issue, we took steps to secure this checkout lane and to review video surveillance to determine when the device was installed,” the company informed customers in an online post by SVP, Operations, Dean Wilkinson. “We also notified law enforcement and began working closely with a third-party forensic investigator to determine what data, if any, it had captured.”
According to the grocer, the devices were installed on only one pin pad at each of the affected stores, and its forensic investigation found that the devices were able to capture data from payment card EMV chips, although not from magnetic stripes. Among the personal information discovered on the devices were names, payment account numbers, and expiration dates for the customers who used the particular self-checkout terminals during the estimated dates of exposure. Stop & Shop said that the devices were designed so that extraction of the captured payment card transaction data would require manual insertion of a reader device into the card capture device, but the data couldn’t be accessed remotely.
“We have been unable to determine if any data was extracted from the devices, but it is possible that data was extracted before the devices were discovered by Stop & Shop,” Wilkinson admitted, adding however, that “at this time, we have no evidence that any of the information has been misused as a result of this issue.”
He explained that it was notifying its customers “[o]ut of an abundance of caution … as we have identified that some of our customers may be affected.” Wilkinson also urged customers to “remain vigilant in safeguarding your information,” and the post included a reference guide to help those whose data may have been compromised seek redress.
The locations affected by the activity, and their estimated windows of exposure are: Stop & Shop #2610, 25 Old King’s Highway N. Darien, CT 06820, April 26-30; Stop & Shop #8, 19 Temple Street, Framingham, MA 01701, April 22-26; Stop & Shop #834, 404 Springfield Avenue, Berkeley Heights, NJ 07922, Feb.8-10; Stop & Shop #800, 8 Franklin Street, Bloomfield, NJ 07003; March 28-April 9; Stop & Shop #2802, 1185 Broad Street, Clifton, NJ 07013, March 14-April 16.