Supervalu Confirms Major Cyberthief POS Network Attack

A cyberthief attack has hit the Supervalu grocery chain’s card-processing network, impacting potentially 1,000 stores and stealing card numbers, expiration dates and other data .

“The intrusion was identified by our internal team, it was quickly contained, and we have had no evidence of any misuse of any customer data,” CEO Sam Duncan said Thursday (Aug. 14).

The $17 billion chain said that the data stolen and the stores impacted are limited. “Supervalu believes that the payment cards from which such cardholder data may have been stolen were used during the period of June 22 (at the earliest) through July 17 (at the latest), 2014, at the 180 Supervalu stores and stand-alone liquor stores listed at www.Supervalu.com under the Consumer Security Advisory section, operated under the Cub Foods, Farm Fresh, Hornbacher’s, Shop ’n Save and Shoppers Food & Pharmacy banners. The intrusion may also have resulted in the theft of such cardholder data from some cards used during this period at 29 franchised Cub Foods stores and stand-alone liquor stores, which are included in the store list referenced on the Supervalu website.  Supervalu currently believes that the intrusion did not affect any of its owned or licensed Save-A-Lot stores or any of the independent grocery stores supplied by the Company through its Independent Business network other than the franchised Cub Foods stores referenced above.”

A report in The Wall Street Journal, however, said the damage could be much more widespread, potentially impacting more than 1,000 stores, attributing that figure to the ever-popular “according to people familiar with the situation.”

The Journal story said the attack “may have resulted from hackers installing malicious software onto the company’s point-of-sale network,” which is certainly logical given the widespread nature of the attacks, as well as the company’s statement that certain parts of the company—presumably using a separate POS network—appear to have been not impacted.

Supervalu said in its statement that “this press release has not been delayed as a result of law enforcement investigation,” which is a nod to consumers’ ever-increasing demand for data breach transparency. Many chains have cited information-release delays as having been requested by law enforcement, which is a common exemption with state databreach disclosure laws. (See Urban Outfitters security chief expressing concerns about those data breach disclosure rules.)

The chain also tried to reassure investors that this will not likely result in huge losses. “Supervalu maintains insurance for cyber threats, which it believes should mitigate the financial effect of these intrusions on Supervalu, including claims that might be made against the company based on these intrusions. Based on currently available information, Supervalu management does not believe that the ultimate outcome of these intrusions, including any related lawsuits, claims or other proceedings that might be initiated against the Company, will have a material adverse impact on the Company’s consolidated results of operations, cash flows or financial position.”