The 128-store Raley's grocery chain has been breached by cybercriminals who may have stolen customer credit and debit card information, the chain said on Thursday (June 6).
The chain, which operates stores in California and Nevada under the Raley's, Bel Air, Nob Hill Foods and Food Source banners, said it discovered that a part of its networks "may have been the target of a complex, criminal cyberattack." The company didn't say when the intrusion was discovered, but said it has an ongoing investigation. The chain also said debit PINs could have been accessed in the breach.
That pattern—a smaller regional chain, a network breach, no evidence of PIN capture (which probably means no PINpads tampered with)—is annoyingly familiar. It's the same general form as the recent breaches at Midwest grocery chain Schnuck's, Arizona-based grocer Bashas, Southeastern U.S. restaurant chain Zaxby's and Southeastern convenience store chain Mapco Express (NYSE:DK). In some cases the breaches have been tied to security holes in remote-access software.
Raley's hasn't said that was the case in its breach, and in fact hasn't yet released many details about the breach at all.
But the rise in small-chain remote-access attacks is likely to continue. The fact that these chains are small means they're less likely to have heavier security on their networks, and more likely to use third-party remote-access software. That makes them easier targets than a large chain, but potentially almost as lucrative in terms of the number of payment card numbers that thieves can resell or use to empty bank accounts through ATMs. For example, in the Schnuck's breach the 100-store chain warned that as many as $2.4 million card numbers may have been stolen.
- See the Raley's news release
C-Store Chain Mapco Express Hit With Remote Access Breach
Schnuck's: 2.4 Million Cards Were Stolen In Cyberattack
Are Franchisees The New Sweet Spot For Card Data Thieves?