Schnucks Markets, a 100-store grocery chain across the Midwest, said on Monday that roughly 2.4 million payment cards used at 79 of its 100 stores may have been compromised as a result of a previously disclosed cyber attack.
The St. Louis-based grocery chain said the breach occurred between December 2012 and March 29, 2013, and while as many as 2.4 million cards may have been compromised, the company emphasized that only the card number and expiration date were accessed – not the cardholder’s name, address or any other identifying information.
However, Schnucks did warn that scammers are taking advantage of the incident by contacting potential Schnucks-shoppers and requesting personal information such as Social Security numbers or credit card numbers under the guise of investigating the breach.
Schnucks was first tipped off about a potential breach after credit card companies informed the company that banks had detected fraud on 12 different cards that had been used at its stores.
The company subsequently hired breach investigation firm Mandiant to investigate the breach, which determined that the first indication of a cyberattack had occurred on March 28.
Schnucks has worked with its payment processor to make sure all potentially affected card numbers were sent to the credit card companies so that they may continue sending alerts to the issuing banks, the company said.
“A cyber-attack is not like a bank robbery where you know immediately when it occurred and who was affected,” the company said. “The investigation of a cyber-attack requires painstaking analysis of digital evidence that takes time in order to determine what happened.”
“Over the years, technology has helped us deliver superior customer service, but it also introduces risks that we have actively worked to manage through compliance audits, encryption technology and various other security measures,” said Scott Schnuck, Chairman and CEO, in a statement.
Schnucks did not disclose technical details on the attack and how the card numbers were obtained, but did say that it provided the Secret Service and FBI with information about the methods and tools used by the attacker(s).
In a previous statement, the company said that during its most recent annual audit in November 2012, the company was validated as PCI DSS compliant by its assessor—another reminder that compliant does not always mean secure.