Security Experts:

New Data Breaches Hit Supervalu, Albertson's

Supermarket chains Supervalu and Albertson's revealed on Monday that some of their payment processing systems have once again been breached.

In a security advisory posted on its website, Supervalu said cybercriminals installed a piece of malware on a section of its computer network that handles payment card transactions for Shop’n Save, Shoppers Food & Pharmacy and Cub Foods Aestores, including some associated stand-alone liquor stores.

The incident, which took place in late August or early September, is a separate breach from the one announced by the company on August 14. The company also noted that a different piece of malware was used in the second attack.

After the first breach, the company started rolling out some enhanced security measures which are believed to have significantly limited the damage caused by the second intrusion. More precisely, the company said the malware planted in the new attack only managed to capture data from checkout lanes at four franchised Cub Foods stores in Minnesota (Hastings, Shakopee, Roseville and White Bear Lake).

"For these four stores, SUPERVALU believes that the malware may have been successful in capturing account numbers, and in some cases also the expiration date, other numerical information and/or the cardholder’s name, from payment cards used at some checkout lanes during the period of August 27 (at the earliest) through September 21 (at the latest), 2014; however, the Company has made no determination that any cardholder data was in fact stolen by the intruder," Supervalu said.

The four Cub Food stores are affected because Supervalu has not completed the implementation of enhanced security measures at these locations.

The company is offering complimentary identity protection services through AllClear ID for a period of 12 months to customers who paid with their credit cards at the impacted Cub Foods stores.

Albertson's stores operated by AB Acquisition LLC are also affected by the breach since Supervalu provides IT services to the company. According to a notice posted on the Albertson's website, the incident affects Albertson's stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah; ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois and Indiana; and Shaw’s and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island.

"At this time there has not been a determination that any payment card data was in fact stolen as a result of either incident. Measures have been taken to prevent further use of this new and different malware in the affected store locations. We are also implementing additional measures to enhance the protection of customer payment card data," AB Acquisition LLC said in a statement.

The first intrusion, which started sometime in late June, is still being investigated. However, Supervalu says it still hasn't determined that payment card data was in fact stolen by the cybercriminals.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.