Supervalu reports data breach

Supervalu (NYSE:SVU) is the latest retailer to experience a data breach, announcing that cybercriminals had accessed payment card transactions at some of its stores.

The Minneapolis-based company said it had "experienced a criminal intrusion" into the portion of its computer network that processes payment card transactions for some of its stores. There was no confirmation that any cardholder data was in fact stolen and no evidence the data was misused, according to the company.

The event occurred between June 22 and July 17, 2014 at 180 Supervalu stores and stand-alone liquor stores. Affected banners include Cub Foods, Farm Fresh, Hornbacher's, Shop 'n Save and Shoppers Food & Pharmacy.

The company believes that the intrusion did not affect any of Supervalu's owned or licensed Save-A-Lot stores or any of the independent grocery stores supplied by the company through its Independent Business network other than the franchised Cub Foods.   

Some stores owned and operated by Albertsons and New Albertsons, including Jewel-Osco stores, suffered a related data breach.   

Supervalu said it took immediate steps to secure the affected part of its network.  An investigation supported by third-party data forensics experts is on-going to understand the nature and scope of the incident. Supervalu believes the intrusion has been contained.

If early reports are correct, the duration of the intrusion was short lived and notification swift. The company said in a statement it did not delay an announcement pending an investigation.
"Current information indicates this breach went on for less than a month, compared to the many months or even years that others have been leaking data," said Tim Erlin, director of IT security and risk strategy at Tripwire in an email. "It's notable that Supervalu's internal teams discovered this breach, rather than being informed by a third party. The fact that this breach was discovered internally no doubt contributed to its relatively short duration."

"The safety of our customers' personal information is a top priority for us," said President and CEO Sam Duncan.  "The intrusion was identified by our internal team, it was quickly contained, and we have had no evidence of any misuse of any customer data."

Supervalu has no evidence that any cardholder data was in fact stolen or that any of the data was misused. It's offering shoppers who might have been affected the now standard 12 months of complimentary consumer identity protection services through AllClear ID.

It seems that retailers are becoming more vigilant in monitoring and more savvy when it comes to disclosure. But according to Mark Bower, VP product management and solutions architecture, Voltage Security, PCI compliance isn't enough.
"By now, every retailer is aware of the risks of malware in the POS, the impact, and the simple fact being compliant to PCI doesn't equate to mitigating advanced threats that no doubt again stole the gold in this case," said Bower. "The only way to neutralize this risk is to avoid any sensitive data passing in and through the vulnerable POS or retail IT. Hundreds of thousands of merchants already do this today with proven approaches using the latest innovations in data-centric security and are able to brush off such attacks like water off a duck's back. These risks are totally avoidable–and at a fraction of the cost of  the fallout from dealing with the consequences."

For more:
-See this Supervalu statement

Related stories:
Target and PF Chang's breaches 'the tip of the iceberg'
PF Chang's issues security update
Retailers still unprepared for security breaches
Domino's Pizza data hackers demand ransom
How to prevent Target-like data breaches