The parent company of Jewel-Osco announced Friday that some of its customers’ credit card data may be compromised after computer hacking — the company called it an “unlawful intrusion” — involving 836 stores, including 185 Jewel-Osco stores — 180 in the Chicago area, four in Indiana and one in Iowa.
The incident was connected to a data breach at Jewel’s former parent company, Supervalu.
Supervalu said the related “criminal intrusion” occurred at the chain stores it sold to Cerebus Capital Management LP in March 2013 — stores that Supervalu continues to supply with information technology services.
Those stores include Jewel-Osco as well as Albertsons, Acme, Shaw’s and Star Market — and related in-store pharmacies in two dozen states.
Supervalu has yet to determine if any cardholder data was actually stolen and said Friday that there’s no evidence of any customer data being misused. Information about the breach was released out of “an abundance of caution,” the company said.
The announcement lengthens the list of retailers that have had security walls breached in recent months, including Target, P.F. Chang’s and even the thrift store operations of Goodwill Industries International Inc.
Local cyber-security expert Jerry Irvine said Friday that, based on the information made public, the data breach was made at the checkout counter, or what retailers call point of sale. It’s the part of the computer system that processes payment card transactions.
“This is the cybersecurity Wild West,” said Irvine, who advises on federal cybersecurity policy as a member of the National Cyber Security Partnership Task Force, a joint operation of the Department of Homeland Security and the U.S. Chamber of Commerce.
Hackers share tips online of their illegal activities without penalty, yet private companies cannot yet do so, he said.
Federal regulations are pending that would allow retailers to discuss their cybersecurity problems without threat of liability, he said.
Nevertheless, Irvine said Supervalu’s ability to stop the data breach internally before hackers got people’s personally identifiable information was “a win for the good guys.”
Irvine said shoppers should still take precautions such as reviewing their credit- and debit-card statements, with special attention to unusual debits such as a penny or a dollar.
Often, those small amounts signal that hackers are trying to see whether they can get into a person’s account and either steal a bigger amount later or sell the information, Irvine said.
In Supervalu’s case, hackers accessed a network that processes Supervalu transactions, with account numbers, expiration dates, card holder names and other information possibly stolen, the company said. Those systems are still being used by the stores sold off by Supervalu last year for $3.3 billion, potentially opening up customer data at those stores as well, including Jewel-Osco.
The breach occurred between June 22 and July 17, according to Supervalu, which said it took immediate steps to secure that portion of its network.
The cards from which data may have been stolen were used at 180 Supervalu stores and liquor stores run under the Cub Foods, Farm Fresh, Hornbacher’s, Shop ‘n Save and Shoppers Food & Pharmacy names. Data may also have been stolen from 29 franchised Cub Foods stores and liquor stores. Those stores in North Dakota, Minnesota, Illinois, Virginia, North Carolina, Maryland and Missouri.
Cerebus affiliate AB Acquisition said that it’s working closely with Supervalu to evaluate the scope of the potential breach.
“We know our customers are concerned about the security of their payment card data, and we work hard to protect it,” Mark Bates, senior vice president and chief information officer at AB Acquisition, said in a statement.
“It’s important to note that there is no evidence at this point that consumer data has been misused.”
The company has hired a third-party forensics team to investigate and said it would release more information within the next day.
Supervalu believes that the intrusion has been contained and it said it is confident that people can safely use credit and debit cards at its stores.
Supervalu and AB Acquisitions are offering customers whose cards may have been affected a year of consumer identity protection services via AllClear ID.
After an initial toll-free number didn’t work as planned, the company redirected people to call 1-877-932-7948 to reach a “live” customer-care agent. The hiccup means that shoppers won’t be able to sign up for a year’s worth of free identity protection services until mid-next week, spokeswoman Christine Wilcox said. At that time, customers can call to sign up at 855-865-4449.
There are efforts underway to make credit and debit cards more secure following a rash of security breaches in recent months.
Target Corp. said this month that expenses tied to a breach leading up to last year’s holiday shopping season could reach as high as $148 million. The incident led to a major shakeup at the company and CEO Gregg Steinhafel resigned.
Restaurant operator P.F. Chang’s confirmed in June that data from credit and debit cards used at its restaurants was stolen. There have been smaller breaches at Neiman Marcus and Michaels Stores Inc.
Shares of Supervalu shed 17 cents to $9.42 in morning trading.
Contributing: Associated Press, Sun-Times Media Wire