US retailer Natural Grocers investigates data breach

Natural Grocers is the latest US retailer to announce it is investigating a possible data breach involving customer payment cards

Natural Grocers is the latest US retailer to announce that is investigating a possible data breach involving customer payment cards.

The seller of natural and organic food, which has 93 stores in 15 US states, said it is investigating a possible data breach involving an “unauthorised intrusion targeting limited customer payment data”.

The company claims it has received no reports of any fraudulent use of payment cards from any customer, credit card company or financial institution.

However, sources in the financial industry have traced a pattern of fraud on customer credit and debit cards suggesting hackers have tapped into point of sales (POS) systems at Natural Grocers locations across the country, according to US investigative reporter Brian Krebs.

He wrote in an article on KrebsOnSecurity that Colorado-based Natural Grocers by Vitamin Cottage had hired a third-party data forensics firm, and law enforcement agencies were investigating the matter.

The company said there was no evidence card verification codes were accessed, and no personally identifiable information was involved.

Read more about data breaches

Point of sale systems breached

The attackers are believed to have breached Natural Grocers in late December 2014 by exploiting weaknesses in the company’s database servers and then installed malware to steal card data on the company’s point of sale (POS) systems, said Krebs, citing a source with inside knowledge of the breach.

Natural Grocers said it had accelerated plans to upgrade the POS system in all its stores with a new PCI-compliant system that provides point-to-point encryption

The POS system features card readers that with accept the more secure payment cards based on the Europay, MasterCard and Visa (EMV) standard being rolled out across the US to help reduce card fraud in the same way it has done in Europe.

EMV is a global standard for the inter-operation of integrated circuit cards, known as chip and PIN in the UK. While EMV is not hack-proof, it provides more security than the magnetic stripe-based system, with a unique identifier for each transaction and user verification through a PIN code.

In October 2014, US president Barack Obama signed an executive order to speed up the adoption of EMV cards in the US, where most merchants have continued to rely on the less secure magnetic stripe cards. The executive order directs the federal government to lead by example in securing transactions and sensitive data. 

With more than 100 million US citizens falling victim to data breaches in 2014, and millions suffering from credit card fraud and identity crimes, there is a need to move to stronger, more secure technologies that better secure transactions and safeguard sensitive data, the White House said in a statement.

Retail card data spree

US retailers hit by breaches of payment card data include Home Depot, Supervalu, Neiman Marcus and Target, which could be facing costs of more than $1bn relating to its breach in late 2013.

Security experts say the breach could cost way more than the $162m declared in the company in the company’s annual financial report.

Target said $191m of gross expense in 2014 was partially offset by the recognition of a $46m insurance receivable, while the 2013 net expense related to the data breach was $17m.

However, more expenses could be on their way after a judge gave financial institutions the go-ahead in December 2014 to proceed with their lawsuit against Target over losses associated with the attack.

class action lawsuit alleging Target customers were harmed by the breach that made their personal information vulnerable was reportedly given the go-ahead in January 2015.

The retail industry accounted for 11% of all data breaches in 2014, according to the latest breach report from Gemalto.

The report said the retail industry’s share of data records compromised increased to 55% in 2014, compared with 29% in 2013 due to an increased number of attacks that targeted POS systems.

Read more on Privacy and data protection