GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

Untangling the legal side of acquiring


Industry Update

NACHA seeks input on QR codes

It's anonymous mobile payments for Amazon

Accord reached on EMV liability shift

Breach exposes 2.4 million cards

Selling Prepaid

Prepaid in brief

The promise of prepaid MDC

New approach urged for cross-border enforcement


The new PCI SSC guidelines: Separating the cloud from the fog

Kurt Hagerman
FireHost Inc.

Get ready for the mobile revolution

Michael Gavin
Merchant Warehouse


Street SmartsSM:
Think like an aggregator

Dale S. Laszig
Castles Technology Co. Ltd.

Impact of EMV and NFC on acquiring

Jim Bibles
Aperia Solutions

Training customized for you

Bill Pirtle
C3ET Credit Card Consortia for Education & Training Inc.

Company Profile



Meet The Expert: Ross Federgreen

New Products

Versatile storefront, mobile merchant app

AprivaPay Plus
Apriva LLC


Conform, with style


Readers Speak

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

May 13, 2013  •  Issue 13:05:01

previous next

Breach exposes 2.4 million cards

St. Louis-based grocery chain Schnuck Markets Inc. confirmed on April 15, 2013, that approximately 2.4 million credit and debit cards used at 79 of its 100 store locations may have been compromised as a result of a breach of its POS network. The breach occurred between December 2012 and March 29, 2013. According to Schnucks, only track 2 card number and expiration date data were accessed in the breach affecting specific stores in Missouri, Iowa, Illinois and Indiana that Schnucks listed online.

The retailer became aware of fraudulent activity when notified by credit card companies on March 15, 2013, that banks had detected fraud on 12 cards used at Schnucks stores, the company stated. At that point Schnucks launched a forensics investigation through Mandiant Corp., which initially ruled out store employee or POS tampering before detecting indications of a cyber attack on March 28.

In a statement released March 30, Schnucks said it had "found and contained the issue behind the reports of unauthorized access to payment card information" and that it had "taken comprehensive measures designed to block any further access."

After disclosing the cyber attack, Schnucks Chairman and Chief Executive Officer Scott Schnuck said, "We are cooperating with law enforcement, the Missouri Attorney General's Office, and the credit card companies to determine the scope and magnitude of this crime and apprehend those individuals making fraudulent purchases."

Monitoring beyond audits

In an April 7 statement, Schnucks said the company had been validated by a third-party assessor as Payment Card Industry Data Security Standard compliant in an audit conducted in November 2012. "It's kind of like a financial audit," said Rick Heroux, President of security consultancy CSR. "The auditor can walk out the door and give you a clean bill of health, and somebody can start stealing the next day."

Heroux said it appears Schnucks was unable to adequately monitor outbound traffic on its network. And there is a lifecycle for stolen card data, which in this incident required several months following the attack to produce and begin using counterfeit cards, at which point a common point-of-purchase analysis was able to detect it.

"What's really interesting about this is that it took them two weeks to figure out where it was and contain it," he added. "And they brought in experts. It was evidently a sophisticated attack, because it was so hard to find." Malware attacks, like the one executed against Schnucks, are becoming a pernicious, yet often preventable problem for merchants. Heroux noted that the best defense against these types of attacks is to maintain security updates, which should be ongoing and consistent.

For additional news stories, please visit and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios