Hackers may once again have obtained customer credit card data of Jewel-Osco customers, the grocery chain’s parent company announced Monday.
The latest data breach occurred in late August or early September and used different malware to break into the company’s payment systems than was used in an earlier incident reported by the company Aug. 14.
Credit card account numbers, expiration dates, and the cardholder’s names may have been exposed to hackers, the company said, but it could not determine if intruders had actually obtained the data.
Both breaches affected debit and credit cards used between June 22 and July 17; or between Aug. 27 and Sept. 21.
Customers who used credit or debit cards at Jewel-Osco stores in Illinois, Iowa, or Indiana during those periods should monitor their accounts and contact their banks if they detect any suspicious activity, the company said.
Jewel-Osco’s parent company, AB Acquisition LLC, based in Idaho, said that its credit card payments are handled by a third party provider, Supervalu.
“We take our responsibility to protect our customers’ payment card data seriously,” said Bob Miller, chief executive officer at AB Acquisition LLC. “We sincerely regret that our customers’ data was targeted. As a company, our decisions are always focused on what is best for our customers’ payment card data. We are working closely with all parties on the investigation into this incident.”
AB Acquisition LLC, which operates Albertsons stores under Albertson’s LLC and ACME Markets, Jewel-Osco, and Shaw’s and Star Markets under New Albertson’s, Inc., recently was notified by its third party IT services provider SUPERVALU of a separate, more recent, attempted criminal intrusion seeking to obtain payment card information used in some of its stores. The Company has been informed that different malware was used in this recently discovered incident than was used in the incident previously announced on August 14, 2014. The investigations into both this incident and the earlier incident are ongoing. AB Acquisition promptly notified federal law enforcement authorities of this separate criminal incident, which apparently occurred in late August or early September 2014 and is cooperating in the efforts to investigate the matter and identify those responsible. Third party data forensics experts are supporting the investigation. We have also notified the major payment card brands of this incident.
They also have posted a FAQ for customers concerned about their data and bank card information.
The Associated Press contributed to this report.