It's April, and the point-of-sale breach season is well under way. Regional grocery chains Schnuck's and Sprouts have both discovered PINpad attacks that may have allowed thieves to steal customers' payment-card data.
The 100-store Schnuck Markets chain, which operates in Missouri, Illinois, Indiana, Wisconsin and Iowa, said last Saturday (March 30) that a forensic investigation found "evidence of computer code that would capture the magnetic stripe data on the back of payment cards," according to a company statement. The chain isn't saying how many stores were hit by the breach or for how long, but the statement implies this was a true point-of-sale problem, rather than an attack that targeted either payment-card data that was stored or the networks that carried it.
Schuck's says it has "identified and contained" the problem and is still investigating. "The security enhancements we have implemented in the last 48 hours are designed to block this attack from continuing," the chain said in its March 30 statement.
In late February, the 151-store Sprouts Farmers Market chain said that 19 of its California and Arizona stores were hit with a breach between Jan. 25 and 29. Once again, it appears to be a case of doctored PINpads: "Sprouts was able to quickly identify and replace the affected credit card terminals," the Phoenix-based company said in a statement. Its initial investigation found that the compromised POS devices may have passed card numbers, but not PINs, to thieves.
Both chains have limited the details they released about the attacks and cited ongoing law-enforcement investigations.
PINpads are still the weakest link in retailers' payment armor, and thieves are increasingly adept at hijacking the devices. Let's clarify that: Thieves now have PINpad-based breaches down to a science at this point. They steal, modify and swap in the devices almost at will. Meanwhile, chains are still playing catch-up, especially small and medium-size retail chains that have become the favorite targets of well-organized groups of attackers.
What's arguably needed are PINpads that won't work at all if they're cracked open, and have to be logged in if they're disconnected from the POS system. That would make the devices impossible to repair and a minor pain to replace, but the alternative is an ever-increasing stream of breaches.