American consumers are being alerted to yet another large consumer data breach, this time at grocery supermarket chain Supervalu.
In a public statement, Supervalu confirmed that that there was a payment card breach and consumer information may have been stolen from 180 Supervalu-affiliated stores across the United States. Supervalu has posted a full list of the affected stores, a large number of which are in Minnesota, Virginia, Illinois, Missouri and Maryland.
According to the company, attackers may have stolen customer payment card account holder names, numbers and expiration data. Supervalu is now offering complimentary consumer identity protection to impacted customers for the next 12 months.
“The safety of our customers’ personal information is a top priority for us,” Sam Duncan, Supervalu president and CEO, said in a statement. “The intrusion was identified by our internal team, it was quickly contained and we have had no evidence of any misuse of any customer data.”
Supervalu is not providing any specifics at this time on how the breach occurred. In the last year, multiple point-of-sale (POS) system breaches and exploits have been reported. Target publicly revealed it was breached on Dec. 9, 2013, in an attack that now carries a price tag of approximately $148 million. Restaurant chain P.F. Chang’s revealed on June 12 that it, too, is a victim of a POS attack.
At the beginning of August, the U.S. Secret Service warned about Backoff POS malware that targets retailers’ systems. According to security vendor Trustwave, some 600 business have been impacted by Backoff.
Security experts eWEEK spoke with were not surprised by the new Supervalu breach and expect more to come in the months ahead.
“We are going to see more retail breaches,” Eric Cowperthwaite, vice president of advanced security and strategy at Core Security, said. “The bad guys have clearly improved their capability with regard to point-of-sale systems and payment card data breaches.”
Cowperthwaite added that what were once accepted as solid standard practices in retail payment card security are now out of date. He noted that restaurant, hospitality, health care and retail organizations are especially dependent on payment card systems. If attackers can breach the retail industry, then restaurants, hotel chains and hospital systems are exposed to just as much risk, Cowperthwaite said.
John Prisco, president and CEO at Triumfant, also isn’t surprised and isn’t optimistic about retail security. “No one should be surprised about retail breaches,” Prisco said. “Retailers do not invest enough in cyber-security, and why should they? Consumers keep shopping at their stores.”
Looking into the mechanics of what is known about the Supervalu breach indicates that it is similar in many respects other recent breaches.
Lucas Zaichkowsky, enterprise defense architect at AccessData, commented that Supervalu’s public statement indicates that criminals accessed the portion of their network that processes payment card transactions for multiple store locations. “That’s the usual modus operandi of highly skilled and experienced criminal hackers,” Zaichkowsky said. “By stealing administrator passwords and blending in as a legitimate system administrator, they’re able to maneuver from the business network to the segmented and better secured corporate card data environment.”
Zaichkowsky added that the attackers’ ultimate goal is to reach the corporate location that acts as a relay hub for transaction data coming from multiple stores, enabling them to steal all the payment card data at a single point.
Payment Card Breach Hits 180 Supervalu Stores and Affiliates
Finding a solution to POS data breaches is challenging, but there are a number of options. Some suggest that the use of chip-and-PIN credit cards, also known as EMV technology, can be used to reduce the risk.
“Incorporating chip-and-pin technology into POS systems is one of the strongest measures that retailers can take to protect their customers,” Hord Tipton, executive director at ISC2, said. “Unfortunately, without mass adoption, retailers will continue to deal with the fallout associated with losing valuable customer information, further weakening public trust in performing credit and debit card transactions with confidence.”
EMV technology, however, is not necessarily a silver bullet for POS security. At the recent Black Hat USA security conference, multiple researchers detailed vulnerabilities and risks with EMV card systems.
AccessData’s Zaichkowsky noted that he and several other payment security specialists recommended that merchants deploy card readers that perform full encryption and that they use one supported by their payment processor that acts as the decryption point.
“The card reader should support encrypting the traditional magnetic stripe, EMV chips and manually keyed-in card numbers,” Zaichkowsky said. “With point-to-point encryption implemented from the card reader to the payment processor, the merchant POS systems never handle payment data in the clear.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.