The $4.8 billion automotive aftermarket parts chain—which dubs itself the nation's second largest such chain, with 3,261 stores in 40 states, Puerto Rico and the Virgin Islands—said the breach appears to have impacted customers from 14 of its stores in Georgia, Ohio, Louisiana, Tennessee, Mississippi, New York, Virginia and Indiana.
The breach—which revealed check, credit card and debit card data—apparently happened in February 2008 and was discovered "in early March," said Shelly Whitaker, the manager of public communications for Advance Auto Parts.
The initial investigation revealed that "the majority of [the stolen information] was old data" from December 2001 through December 2004 and that none of the older data had been encrypted, Whitaker said. She added that the chain currently encrypts payment data.
Whitaker said the old credit card data was still in the company's system because it was left over from some old network changes. "During a system conversation, the data had not been deleted," she said.
Advanced Auto Parts was not PCI compliant at the time of the data breach and is still not compliant, although Whitaker said the chain is "in the final stages" of having a PCI assessment completed. It had not been declared PCI compliant because of "an open item not related to this intrusion," which Whitaker declined to identify. "We should be compliant in the next couple of months," she said on April 11.