As many as 2.4 million payment card numbers may have been stolen in a breach at the 100-store Schnuck Markets chain, the retailer said Sunday (April 14). Schnuck's said point-of-sale data was compromised at 79 stores in Missouri, Illinois, Indiana and Iowa, and card numbers and expiration dates (but no other personal information) were stolen between Dec. 1 and March 29, when the breach was identified and blocked by forensic experts hired by Schnuck's.
Schnuck's first publicly reported the breach on March 30, but provided scant details. In the new statement, the retailer clarified that the attack did not involve physical tampering with PINpads.
According to a timeline released by the chain, Schnuck's was first notified by its payment processor on March 15 that 12 customers had experienced fraud after they used their cards at Schnuck's stores. The company ruled out employee fraud and physical point-of-sale tampering, then hired fraud-detection company Mandiant, which found malware on some of Schnuck's systems on March 28 and blocked it within 36 hours.
The chain's new statement clears up some concerns but raises others. If thieves did not physically tamper with PINpads within the stores, the attack was apparently either on data stored at each of the 79 stores or was sniffed on the network while it was being sent to the card processor.
A larger concern may be that the chain was validated as PCI DSS compliant by its QSA in November 2012, less than a month before the breach activity began.
The chain did not explain exactly how the card data was stolen or where the malware that fed it to thieves was found.
The chain has also been named in two separate class-action lawsuits alleging it failed to secure customer data and failed to promptly inform customers that their personal information was compromised. Both lawsuits were filed last week, according to the St. Louis Post-Dispatch.
Walmart's Vudu Burglarized, Customer Data Stolen And, Yes, Customers Should Be Unhappy
The Hannaford Data Breach Case Lives On. Lawyers Ask For Judge To Reverse Himself
Schnuck's grocery chain attacked, and once again it's via PINpads