Payment Card Breach Hits Supervalu Retail Chain

Attackers went shopping and picked up much more than just a carton of eggs. Supervalu was the latest retail chain to reveal a payment card breach.

Supervalu data breach

American consumers are being alerted to yet another large consumer data breach, this time at grocery supermarket chain Supervalu.

In a public statement, Supervalu confirmed that that there was a payment card breach and consumer information may have been stolen from 180 Supervalu-affiliated stores across the United States. Supervalu has posted a full list of the affected stores, a large number of which are in Minnesota, Virginia, Illinois, Missouri and Maryland.

According to the company, attackers may have stolen customer payment card account holder names, numbers and expiration data. Supervalu is now offering complimentary consumer identity protection to impacted customers for the next 12 months.

"The safety of our customers' personal information is a top priority for us," Sam Duncan, Supervalu president and CEO, said in a statement. "The intrusion was identified by our internal team, it was quickly contained and we have had no evidence of any misuse of any customer data."

Supervalu is not providing any specifics at this time on how the breach occurred. In the last year, multiple point-of-sale (POS) system breaches and exploits have been reported. Target publicly revealed it was breached on Dec. 9, 2013, in an attack that now carries a price tag of approximately $148 million. Restaurant chain P.F. Chang's revealed on June 12 that it, too, is a victim of a POS attack.

At the beginning of August, the U.S. Secret Service warned about Backoff POS malware that targets retailers' systems. According to security vendor Trustwave, some 600 business have been impacted by Backoff.

Security experts eWEEK spoke with were not surprised by the new Supervalu breach and expect more to come in the months ahead.

"We are going to see more retail breaches," Eric Cowperthwaite, vice president of advanced security and strategy at Core Security, said. "The bad guys have clearly improved their capability with regard to point-of-sale systems and payment card data breaches."

Cowperthwaite added that what were once accepted as solid standard practices in retail payment card security are now out of date. He noted that restaurant, hospitality, health care and retail organizations are especially dependent on payment card systems. If attackers can breach the retail industry, then restaurants, hotel chains and hospital systems are exposed to just as much risk, Cowperthwaite said.

John Prisco, president and CEO at Triumfant, also isn't surprised and isn't optimistic about retail security. "No one should be surprised about retail breaches," Prisco said. "Retailers do not invest enough in cyber-security, and why should they? Consumers keep shopping at their stores."

Looking into the mechanics of what is known about the Supervalu breach indicates that it is similar in many respects other recent breaches.

Lucas Zaichkowsky, enterprise defense architect at AccessData, commented that Supervalu's public statement indicates that criminals accessed the portion of their network that processes payment card transactions for multiple store locations. "That's the usual modus operandi of highly skilled and experienced criminal hackers," Zaichkowsky said. "By stealing administrator passwords and blending in as a legitimate system administrator, they're able to maneuver from the business network to the segmented and better secured corporate card data environment."

Zaichkowsky added that the attackers' ultimate goal is to reach the corporate location that acts as a relay hub for transaction data coming from multiple stores, enabling them to steal all the payment card data at a single point.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.