C-Store Chain Mapco Express Hit With Remote Access Breach

Tools

Regional convenience-store chain Mapco Express (NYSE:DK) said on Monday (May 6) that thieves may have stolen credit and debit card information from all 377 of its stores during March and April.

"The hackers accessed the payment processing systems used in all of our stores from March 19-25, in certain stores from April 20-21, 2013, and at two stores in Goodlettsville and Nashville, Tenn., from April 14-15, 2013. If you used your credit or debit card at one of these locations during these time periods, you card data may have been compromised," the retailer said in a statement.

Mapco, which operates stores in Tennessee, Alabama, Arkansas, Georgia, Kentucky, Mississippi and Virginia under the Mapco Express, Mapco Mart, East Coast, Discount Food Mart, Fast Food and Fuel, Delta Express, and Favorite Markets banners, didn't explain how the breach occurred. However, the statement did say the chain's point-of-sale system does not store card numbers, and investigators believe malware planted in POS systems captured data between the PINpad and the card processor. The malware has been disabled.

That makes this breach at least superficially similar to a four-month attack discovered earlier this year against Schnuck's, a regional grocery chain in the Midwest. That attack exposed as many as 2.4 million cards. Mapco didn't estimate how many cards may have been compromised in its breach or say when the breach was discovered. The thieves have not been identified, the chain said.

Mapco also didn't say whether PINpads were tampered with, but the number of stores involved makes that unlikely. For the past several years, doctored POS devices that trapped card data and PINs on entry have been the most high-profile breach technique. That was a workaround for the fact that, increasingly, retailers were keeping card data off their POS systems. Now retailers are paying closer attention to PINpads, and for thieves the workaround is to plant malware in the POS remotely to sniff the network connection to the processor.

The best answer would seem to be to get retailers completely out of the card-number business—encrypting all communications between the PINpad and the card processor, and having processors hand the retailer an electronic token to take the card number's place. For now, we're a long way from that. And until chains get better—and faster—at blocking these new malware attacks, thieves will continue to have the upper hand.