SuperValu & Albertson’s Struck by Data Breach

A cyber attack at Supervalu and Albertson’s may have stolen the credit card data of people who shopped at the companies’ grocery stores in the past couple of months.


Photo: Albertson’s / Wikimedia Commons

The two major US grocery retailers hold sensitive data of thousands of shoppers. The recent data breach could have a major impact on them.

According to the company sources at Supervalu, their grocery and liquor stores in as many as five states faced a cyber attack with the intent of data breaching. The systems contained critical information such as credit card numbers, expiration dates, cardholder names, account numbers, and a lot more.

The company said that 180 stores in Maryland, Minnesota, Illinois, Virginia, and Missouri have faced the attack between June 22 and July 17. Apart from grocery store devices, the other affected systems were at standalone liquor stores run by Hornbacher’s, Shoppers Food & Pharmacy, Farm Fresh, and Shop ‘n’ Save. The hacking attack may also have stolen data from several cards that were used at 29 different Cub Foods liquor and grocery stores.

While SuperValu accepted that the data breach may have affected a total of 228 of its stores, Albertson’s could not provide an exact figure. However, the number is believed to be more than 700. Both these stores use the same technology to store credit card data, and it is not known which store was affected first.

According to Nick Halter of Minneapolis-St. Paul Business Journal, the attack came at a very wrong time for SuperValu. With their recent acquisition of Rainbow stores and the news of Hy-Vee moving into the town, this was the last thing they wanted. He also added that it is important to find out what exactly the hackers have stolen.

SuperValu said that its Save-A-Lot stores are still untouched by these attacks. However, a related breach was reported at Boise, New Albertson’s Inc., and Idaho based Albertson’s LLC. SuperValu provides IT services to all these stores.

While third-party investigations are on, SuperValu has announced that customers can freely use their cards in its stores. It is not known for sure whether the data was stolen or misused, and the company has asked federal law enforcement agencies for help.

After the recent attack, Sam Duncan, the CEO of SuperValu, reassured the customers, saying that their protection is the top priority for the company. While the intrusion was promptly detected and contained, there are still no instances of misuse of customer information. He also showed regret for the entire episode and urged the customers to shop from SuperValu.

The company holds a reputed position in Minnesota, and is among the 10 largest public companies in the state, with its revenue of above $17 billion for the last fiscal year. The data breaching incident saw a dip in the company’s shares by almost three percent to $9.30 on Friday morning.

After another Minneapolis based retail giant Target, SuperValu is the second major company in the state to be affected by data breach in one year. Target is said to have lost $148 million in its second quarter revenue due to the data breach in December 2013. The incident also resulted in the resignation of its CEO Gregg Steinhafel.

In order to cover the lost ground, SuperValu has come up with a year of complimentary consumer identity protection services for the customers with affected cards. The company has also set up a call center to answer queries regarding the incident. Customers can reach the call center at (855) 731-6018. The call center is open Monday to Saturday from 8am-8pm.

Although the SuperValu incident might be surprising, it is certainly not new. Some of the other major stores that have been affected by similar incidents of data breaching include Goodwill Industries International, the Neiman and Michaels Stores, and P.F Chang’s – the Chinese restaurant operator.

These incidents highlight the vulnerability of US companies’ payment systems against data breach attempts.
With SuperValu providing its IT services to the affected companies, this incident would surely shed some light on the vulnerability of third party security issues.

The PCI DSS (Payment Card Industry Data Security Standard) clearly states that even after outsourcing the payment card services to a third party, it is the responsibility of the client company to ensure the safety of customer’s data.

The newly updated PCI DSS guidelines make it easier for companies to determine if their third party service providers are adhering to the appropriate security measures for the protection of card holder’s data.

From July 2015, companies would be required to procure an assurance note from service providers, attesting that the provider will keep the debit and credit card data safe. This measure is expected to bring down the number of breaching incidents. Until then, it is the responsibility of companies, and not third party service providers to keep customer data safe.