Grocery chain Supervalu investigating potential data breach at stores, including Duluth Cub Foods
EDEN PRAIRIE, Minn. — The owner of Cub Foods said Friday that criminals have broken into its computer network and that shoppers’ credit card numbers might have been stolen.
Eden Prairie-based Supervalu said the breach of its card-processing system occurred between June 22 and July 17.
Cardholders’ names, card expiration dates and other information might also have been stolen, Supervalu said.
The Supervalu breach affected 209 stores across all five of its supermarket chains: Cub Foods and its franchisees in Minnesota, along with Farm Fresh, Hornbacher’s, Shop ‘n Save and Shoppers Food & Pharmacy.
There are 78 Cub Foods stores in Minnesota, including in Duluth. The breach affected the Duluth store as well as 41 Cub Foods stores in the Twin Cities, along with 10 adjacent Cub Foods liquor stores, the company said. Some other Cub Foods stores in nonmetro Minnesota were affected, too — but the store in Grand Rapids was not on the company’s list of stores affected by the breach.
Cub Foods is the largest grocer in the Twin Cities, with Target in second place — and now, both Minnesota-based retailers have been hit by cyberthieves.
Supervalu said it isn’t sure “that any such cardholder data was in fact stolen by the intruder, and it has no evidence of any misuse of any such data, but is making this announcement out of an abundance of caution.”
Supervalu is the latest major retailer to be hit by cyberthieves, after Target, Neiman Marcus, Michael’s Stores, Goodwill and others.
Avivah Litan, a fraud analyst at information technology firm Gartner, said it’s only the tip of a much larger iceberg.
“There’s a lot of this going on that I don’t think we hear about,” Litan said, later adding, “It’s so pervasive now, it’s getting crazy.”
She said she believes the nation’s card-processing systems are now so badly compromised that, whenever you swipe a credit or debit card, there’s about a 20 percent chance your information is being captured by malware.
The soaring number of breaches alarms retailers and makes consumers resentful, but it’s becoming less shocking with each new disclosure.
“It happens to everybody these days,” said George John, associate dean of the Carlson School of Management at the University of Minnesota. “I’m not sure they (Supervalu) are going to take any hits for that. More depends on their ability to respond to something that’s almost commonplace these days.”
But John does see an impact — on the trust consumers place in electronic payment systems that once seemed secure.
“Clearly, these repeated breaches are going to erode the general trust in these systems,” he said.
Supervalu said criminals had breached “the portion of its computer network that processes payment card transactions.”
Supervalu is offering affected customers a year of complimentary consumer identity protection services via AllClear ID. Supervalu also has created a call center to help answer customer questions about the data breach and the identity protection services being offered.
The call center number is (855) 731-6018. On Friday, callers heard a recorded message giving details about the breach, and said live operators would be available starting Monday.
The Wall Street Journal, citing unnamed sources close to the case, reported that the Supervalu breach “may have resulted from hackers installing malicious software on to the company’s point-of-sale network.” That network includes the cash registers and terminals where consumers scan their credit and debit cards.
A similar cyberattack hit Minneapolis-based Target Corp. during the holiday season last year, when hackers stole credit- and debit-card information from 40 million shoppers. Another 70 million Target shoppers had other personal information stolen.
Millions of those stolen card numbers from Target were later offered for sale online to other criminals.
Fallout from the Target breach continues. The company’s CEO, Gregg Steinhafel, was fired in the spring and was replaced this week by Brian Cornell. Target also has been struggling to win back all of its shoppers and has missed its financial goals since the breach occurred.
The Wall Street Journal reported that the Supervalu breach may affect up to 1,000 stores, because Supervalu provided information technology services to some Albertson’s grocery stores.
Supervalu reported that it doesn’t think the data breach affected its Save-A-Lot stores or any independent grocery stores supplied by the company, aside from some Cub Foods franchisees. It also said a handful of Cub Foods stores were not affected by the breach, because they were owned by a franchisee that used a different payment system.
Once it learned of the breach, the company said that it took immediate steps to secure its network. An investigation is ongoing.
“The intrusion was identified by our internal team, it was quickly contained, and we have had no evidence of any misuse of any customer data,” Supervalu CEO Sam Duncan said in a statement. “I regret any inconvenience that this may cause our customers but want to assure them that it is safe to shop in our stores.”
Litan, the fraud analyst, said chip-and-PIN technology, considered more secure than the magnetic stripes now commonly used, is coming to credit and debit cards, but it’s still years away from full adoption. Yet there are precautionary steps card issuers and processors can take in the meantime, such as end-to-end encrypting of card information, she said.
As a consumer, Litan said, your options are more limited.
“Use cash,” she said.
If these thefts continue, Litan said, she expects digital alternatives to credit cards to become more popular.
“I think the payments world will look much different in 10 years,” she said.
On Wall Street, Supervalu shares fell nearly 3 percent, or 28 cents, to close at $9.31.
The Pioneer Press is a media partner with Forum News Service.
INFORMATION FOR CUB CUSTOMERS
1. Monitor your credit-card or bank statements. Immediately report any suspicious charges. Consumers are not liable for fraudulent charges, if they report them promptly.
2. Supervalu is offering a year of free consumer identity protection for customers affected. Details are available at Supervalu.com, or by calling (855) 731-6018.
3. If you used a debit card at Cub during the breach period, June 22-July 17, change your PIN code.
4. Contact your financial institution. You may not need to replace your card, but some institutions replace cards proactively, while others take a wait-and-see approach.