The Green Sheet Online Edition
May 13, 2013 • Issue 13:05:01
Breach exposes 2.4 million cards
St. Louis-based grocery chain Schnuck Markets Inc. confirmed on April 15, 2013, that approximately 2.4 million credit and debit cards used at 79 of its 100 store locations may have been compromised as a result of a breach of its POS network. The breach occurred between December 2012 and March 29, 2013. According to Schnucks, only track 2 card number and expiration date data were accessed in the breach affecting specific stores in Missouri, Iowa, Illinois and Indiana that Schnucks listed online.
The retailer became aware of fraudulent activity when notified by credit card companies on March 15, 2013, that banks had detected fraud on 12 cards used at Schnucks stores, the company stated. At that point Schnucks launched a forensics investigation through Mandiant Corp., which initially ruled out store employee or POS tampering before detecting indications of a cyber attack on March 28.
In a statement released March 30, Schnucks said it had "found and contained the issue behind the reports of unauthorized access to payment card information" and that it had "taken comprehensive measures designed to block any further access."
After disclosing the cyber attack, Schnucks Chairman and Chief Executive Officer Scott Schnuck said, "We are cooperating with law enforcement, the Missouri Attorney General's Office, and the credit card companies to determine the scope and magnitude of this crime and apprehend those individuals making fraudulent purchases."
Monitoring beyond audits
In an April 7 statement, Schnucks said the company had been validated by a third-party assessor as Payment Card Industry Data Security Standard compliant in an audit conducted in November 2012. "It's kind of like a financial audit," said Rick Heroux, President of security consultancy CSR. "The auditor can walk out the door and give you a clean bill of health, and somebody can start stealing the next day."
Heroux said it appears Schnucks was unable to adequately monitor outbound traffic on its network. And there is a lifecycle for stolen card data, which in this incident required several months following the attack to produce and begin using counterfeit cards, at which point a common point-of-purchase analysis was able to detect it.
"What's really interesting about this is that it took them two weeks to figure out where it was and contain it," he added. "And they brought in experts. It was evidently a sophisticated attack, because it was so hard to find." Malware attacks, like the one executed against Schnucks, are becoming a pernicious, yet often preventable problem for merchants. Heroux noted that the best defense against these types of attacks is to maintain security updates, which should be ongoing and consistent.
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.