SUPERVALU INC. is alerting customers that it experienced a criminal intrusion into the portion of its computer network that processes payment card transactions for some of its retail food stores, including some of its associated stand-alone liquor stores.
This criminal intrusion may have resulted in the theft of account numbers, and in some cases also the expiration date, other numerical information and/or the cardholder’s name, from payment cards used at some point of sale systems at some of the Company’s owned and franchised stores. The company has not determined that any such cardholder data was in fact stolen by the intruder, and it has no evidence of any misuse of any such data, but is making this announcement out of an abundance of caution.
Tim Erlin, director of IT security and risk strategy at Tripwire, weighed in on the incident, noting, “Current information indicates this breach went on for less than a month, compared to the many months or even years that others have been leaking data. It’s notable that Supervalu’s internal teams discovered this breach, rather than being informed by a third party. The fact that this breach was discovered internally no doubt contributed to its relatively short duration.”
Indeed, SUPERVALU believes that the payment cards from which such cardholder data may have been stolen were used during the period of June 22 (at the earliest) through July 17 (at the latest), 2014, at the 180 SUPERVALU stores and stand-alone liquor stores listed at www.supervalu.com under the Consumer Security Advisory section, operated under the Cub Foods, Farm Fresh, Hornbacher’s, Shop ’n Save and Shoppers Food & Pharmacy banners. The intrusion may also have resulted in the theft of such cardholder data from some cards used during this period at 29 franchised Cub Foods stores and stand-alone liquor stores, which are included in the store list referenced on the SUPERVALU Website. SUPERVALU currently believes that the intrusion did not affect any of its owned or licensed Save-A-Lot stores or any of the independent grocery stores supplied by the Company through its Independent Business network other than the franchised Cub Foods stores referenced above.
Upon recognition of the intrusion, the company took immediate steps to secure the affected part of its network. An investigation supported by third-party data forensics experts is on-going to understand the nature and scope of the incident. SUPERVALU believes the intrusion has been contained and is confident that its customers can safely use their credit and debit cards in its stores.
“The safety of our customers’ personal information is a top priority for us,” said President and CEO Sam Duncan. “The intrusion was identified by our internal team, it was quickly contained, and we have had no evidence of any misuse of any customer data. I regret any inconvenience that this may cause our customers but want to assure them that it is safe to shop in our stores.”
The company currently has no reason to believe that additional information beyond that described above may have been stolen by the intruder. However, given the continuing nature of the investigation, it is possible that time frames, locations and/or at-risk data in addition to those described above will be identified in the future.
The company has notified federal law enforcement authorities and is cooperating in their efforts to investigate this intrusion and identify those responsible for the intrusion.
Although SUPERVALU has not determined that any cardholder data was in fact stolen by the intruder, and it has no evidence of any misuse of any such data, the company is offering customers whose payment cards may have been affected 12 months of complimentary consumer identity protection services through AllClear ID. SUPERVALU has established a call center to answer customer questions about the intrusion and the identity protection services being offered.