Supervalu is the latest in a string of US retailers to report a breach of its card payment network, but says there is no evidence that cardholder data was stolen.
However, in a consumer security advisory, the company said the intruders may have accessed account numbers, expiry dates, other numerical information and cardholders' names.
Supervalu said it had not determined that any such cardholder data was in fact stolen by the intruder, and it has no evidence of any misuse of such data.
The company said it had issued the security advisory “out of an abundance of caution”.
Supervalu believes the payment cards from which such cardholder data may have been stolen were used during the period of 22 June to 17 July 2014, at 180 retail outlets owned by the company.
The intrusion may also have resulted in the theft of such cardholder data from some cards used during this period at 29 franchised Cub Foods retail outlets.
Supervalu said it believes the intrusion did not affect any of its owned or licensed Save-A-Lot stores or any of the independent grocery stores supplied by the company.
Supervalu investigates data breach
Read more about data breaches
- Most cyber attacks use only three methods, Verizon breach report shows
- Target CEO quits after data breach
- Sears confirms data breach investigation amid retailer data breaches
- Orange data breach underlines need for encryption, say experts
- Target data breach: Why UK business needs to pay attention
- Bitly urges users to secure accounts after security breach
- Target’s CIO resigns after massive data breach
The company – one of the largest retailers in the US with annual sales of $17bn – said that, as soon as the intrusion was detected, it took immediate steps to secure the affected part of its network.
“An investigation supported by third-party data forensics experts is ongoing, to understand the nature and scope of the incident,” the company said.
“Supervalu believes the intrusion has been contained and is confident customers can safely use their credit and debit cards in its stores.”
The company said it had no reason to believe that additional information may have been stolen, but said an investigation was still in progress.
Supervalu said it has notified federal law enforcement authorities and is co-operating in their efforts to investigate the intrusion and identify those responsible.
Consumer identity protection
The retailer has notified the major payment card brands and is co-operating in their investigation of the intrusion.
Supervalu said that, although there is no evidence that cardholder data was stolen, the company is offering customers whose payment cards may have been affected 12 months of free consumer identity protection.
The retailer has set up a callcentre to answer customer questions about the intrusion and the identity protection services offered.
Supervalu said it has insurance for cyber threats, which should mitigate the financial effect of these intrusions, including claims that might be made against the company as a result of the intrusion.
Data security practice
Mark Bower, vice president at Voltage Security said the simple fact being compliant with the payment card industry data security standard (PCI DSS) does not equate to mitigating advanced threats.
“The only way to neutralise the risk of malware in the point of sale (POS) systems is to avoid any sensitive data passing in and through the vulnerable POS or retail IT,” he said.
According to Bower, hundreds of thousands of merchants already do this today with proven approaches using the latest innovations in data-centric security.
“These risks are totally avoidable – and at a fraction of the cost of the fallout from dealing with the consequences,” he said.
Retailers struggle with basics of data security
However, Verizon's 2014 Data Breach Investigations Report (DBIR) revealed that attackers continue to use only a few simple techniques to steal data from retail organisations.
According to Verizon, very few data breaches in the retail sector can be attributed to advanced attacks.
The most basic problem is that POS devices are often open to the internet and protected only by weak passwords, default passwords and even no passwords, the report said.
The second most common scenario is that attackers use credentials stolen from technology suppliers, accounting for 38% of POS intrusions covered by the 2014 DIBR.
The problem, said Verizon, is that retailers are not in control of access to their networks because many allow technology suppliers remote access to their networks and even their POS systems.
The problem was exacerbated by the same password being used for all organisations managed by the supplier, making them all targets.
Also, the flat hub-and-spoke architecture used by many retailers make it easier for attackers to move across a network once they are inside.