Jewel-Osco suffered a data breach that exposed customers’ payment-card information, marking the latest hacker attack on the retail industry.
All Jewel-Osco stores were affected, according to a spokeswoman. But â€œas of this time, we have not determined that any card data was stolen, and there is no evidence of any misuse of our customers’ data,â€ she wrote in an email. â€œThe investigation is ongoing.â€
The chain’s parent, a consortium of investors led by Cerberus Capital Management, said it â€œbelieves that the intrusion has been contained and is confident that its customers can safely use their credit and debit cards in its stores.â€
Jewel-Osco has 185 stores in Illinois, most of them in the Chicago area.
TIMEFRAME AND REACH
The breach may have begun June 22 at the earliest and ended July 17 at the latest, according to Jewel-Osco’s ownership group.
The incident also affected stores in other chains owned by Jewel-Osco’s parent, including Albertsons. The chains’ owner is offering customers a year of free ID theft protection.
Jewel-Osco’s former owner, Supervalu Inc., handles the technology in question at Jewel and is working with Jewel’s parent on the problem. Eden Prairie, Minnesota-based Supervalu said that it may have suffered a data breach at stores in as many as five states.
Hackers accessed a network that processes store transactions. Account numbers, expiration dates, cardholders’ names and other information may have been stolen, Supervalu said.
Supervalu and the investment group that purchased Jewel-Osco from it last year join a lengthening list of companies whose systems have been compromised. Minneapolis-based retailer Target Corp. was victim of a breach last year that allowed hackers to gain access to payment data for 40 million customersâ€™ cards.
Hackers in Russia have amassed 1.2 billion sets of looted user names and passwords, the largest known cache of stolen personal information, Hold Security LLC said this month.
â€œWe have had no evidence of any misuse of any customer data,â€ Supervalu Chief Executive Officer Sam Duncan said in a statement today. â€œI regret any inconvenience that this may cause our customers, but want to assure them that it is safe to shop in our stores.â€
Supervaluâ€™s stock dropped 2.1 percent to $9.39 as of 10:02 a.m. in New York. Before today, the shares had climbed 32 percent this year.
Earlier this month, Target Corp. said expenses tied to a breach leading up to last year’s holiday shopping season could reach as high as $148 million.
Restaurant operator P.F. Chang’s confirmed in June that data from credit and debit cards used at its restaurants was stolen. There have been smaller breaches at Neiman Marcus and Michaels Stores Inc., and even at Goodwill.
WHY THE LAG?
The fact that the Supervalu breach occurred a month ago raises questions about why it took so long to hear about it, said Michael Sutton, vice president of security research at Zscaler Inc.
â€œIf someone’s data was stolen, they should know about that as quickly as possible,â€ Sutton said. â€œSupervalu indicated that they uncovered the breach. If that’s the case, then when, and why has this taken so long to get out?â€
Cybercrime costs as much as $575 billion a year and remains a growth industry with attacks on banks, retailers and energy companies that will worsen, according to a June report by the Washington-based Center for Strategic and International Studies and sponsored by network security company McAfee Inc.
Such breaches threaten to drive customers away and can also be dangerous for company executives.
Target’s board ousted CEO Gregg Steinhafel in the wake of the data theft last year. The retailer’s reputation and store visitor numbers were hurt after the attack became public in December, while its U.S. comparable-store sales fell 2.5 percent in the fourth quarter. Target said earlier this year that it would spend $100 million to accelerate the rollout of cards with better security technology.
While some of the highest-profile victims of hacking have been U.S. companies, the problem is global. Orange SA, France’s largest phone company, said in May that 1.3 million people had personal information stolen because of a breach in a technical platform, the second attack on the company this year.
And earlier this month, the Chicago Yacht Club revealed that it, too, was hit by a data security breach.
Supervalu is treading carefully in responding to its breach, said Sutton, the Zscaler analyst.
â€œThey are just moving extremely cautiously and only saying what they have to say,â€ he said. â€œI have no doubt that more will come out.â€