AAPL Stock: 118.14 ( + 0.11 )

Printed from

Supermarket chains Supervalu, AB Acquisition LLC announce breaches

updated 02:21 pm EDT, Sun August 17, 2014

Breaches target 209 Supervalu stores, AB Acquisition stores in 21 states

Last week, supermarket chain Supervalu announced that it discovered an intrusion into part of its computer network, specifically for the portion that processes payments with debit and credit cards. The company believes that card data may have been stolen from 209 of its standard and franchise stores. A day prior, AB Acquisition LLC announced that its systems were breached, but was said it had yet to determine if any cardholder data had been stolen.

Supervalu states that the intrusion "may have resulted in the theft of account numbers, and in some cases also the expiration date, other numerical information and/or the cardholder's name, from payment cards used at some point of sales systems at some of the company's owned and franchised stores." The company is currently working with law enforcement and card processing companies on an investigation into the breach. It can't say with certainty that any information was obtained, but at this time it hasn't seen any evidence of misuse. Supervalu doesn't believe that any other information was stolen.

The breach occurred between June 22 and July 17, taking place across 180 company-owned stores and 29 franchise stores. Affected chains include Cub Foods, Shop n' Save, Shoppers Food & Pharmacy, Farm Fresh and Hornbacher's. The intrusion also extended to franchise Cub Foods stores and some stand-alone liquor stores. Currently, the company doesn't believe that Save-A-Lot stores, or any independent stores, outside of Cub Foods, were affected.

"The safety of our customers' personal information is a top priority for us," said CEO Sam Duncan. "The intrusion was identified by our internal team, it was quickly contained, and we have had no evidence of any misuse of any customer data. I regret any inconvenience that this may cause our customers, but want to assure them that it is safe to shop in our stores."

In the release, Supervalu points out that some Albertsons stores were breached as well, but doesn't believe that it bears any responsibility for losses under the Albertsons banner. The company stated that it only provides IT services to the Albertsons stores, and has been working with them about the intrusions.

AB Acquisition LLC, which runs stores under the Albertsons and Acme market names, is most likely using Supervalu as its outside provider, as it owned a large chunk of Albertsons stores beginning in 2006. Remaining stores would later be sold to a group led by Cerberus Capital Management in 2013, the group that owned the majority of Albertsons stores at the time.

Albertsons states that stores across several states were involved in the system breach, including "Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah." Other store brands from the company where hit as well. Acme Markets in Delaware, Maryland, New Jersey and Pennsylvania; Jewel-Osco stores in Illinois, Indiana and Iowa; Shaw's and Star Markets in Maine, Massachusetts, New Hampshire, Rhode Island and Vermont were all subject to the information breach currently under investigation. The intrusion period is stated as the same time frame as Supervalu's.

"We know our customers are concerned about the security of their payment card data, and we work hard to protect it," said AB Acquisition LLC Chief Information Officer Mark Bates. "As soon as we were notified of the incident, we began working closely with Supervalu to determine what happened. It's important to note that there is no evidence at this point that consumer data has been misused. We understand the inconvenience and concern an incident like this can cause, and we deeply regret that our customers' data was targeted."

The remaining information from the two companies reminds consumers that could be affected to consider options to mitigate any damage that may occur as a result of stolen data. However, they point out that information accessed, including dates, locations and data, could change during the course of the investigation. Any customer that believes their information was at risk during this period can contact either company to receive 12 months of consumer protection services through AllClear ID.

Both Supervalu and Albertsons breaches add to the growing pile of large company data thefts if it is found that cardholder information was indeed stolen. Goodwill Industries International was the last high-profile company targeted, but it is still conducting an investigation that started in late July.

by MacNN Staff



  1. UlfMattsson

    Fresh-Faced Recruit

    Joined: 08-18-14

    I think it is not enough that "we work hard to protect it" and "we deeply regret that our customers' data was targeted." I think that more proactive data security approaches are needed at this time.

    Dow Jones Business News reported on August 14 about these breaches and said "It may have may have resulted from hackers installing malicious software onto the company's point-of-sale network, said people familiar with the situation"

    This type of targeted malware topped the list of security threats exerting the most pressure on organizations in 2013 according to study by Trustwave.

    McAfee Labs researchers have analyzed the threats 2013 and seen a steady growth in malware. Malware tries to hide from its victims. Sophisticated malware can be difficult to detect and may even be signed by trusted (stolen) certificates.

    Signed malware, which poses as approved legitimate software, continues to set records, increasing by almost 50 percent during 4th quarter 2013.

    Even if the malware is detected it could be hard to notice in the noise from state of the art malware detection systems. The Target breach last year had this type of situation.

    Attackers are constantly finding new ways to attack sensitive data and point-of-sale systems are attractive targets for attackers.

    I think good news can be found in the studies that are showing that users of data tokenization will experience up to 50 % fewer security-related incidents (e.g. unauthorized access, data loss, or data exposure) than non-users. The attacker will only find unusable data and this approach can help to protect sensitive data against a range of future attacks.

    I think it is time to start using Data Tokenization to secure the entire data flow. Gartner is currently classifying Data Tokenization as a mature technology for PCI and PII data.

    Ulf Mattsson, CTO Protegrity

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented