The owner of Cub Foods said Friday that criminals have broken into its computer network and that shoppers’ credit card numbers might have been stolen.
Eden Prairie-based Supervalu said the breach of its card-processing system occurred between June 22 and July 17.
The cardholder’s name, the card expiration date and other information also might have been stolen, Supervalu said.
The breach affected 41 Cub Foods stores in the Twin Cities and 10 adjacent Cub Foods liquor stores, the company said.
Cub Foods is the largest grocer in the Twin Cities — Target is No. 2 — and now, both Minnesota-based retailers have been hit by cyberthieves.
Supervalu said it isn’t sure “that any such cardholder data was in fact stolen by the intruder, and it has no evidence of any misuse of any such data, but is making this announcement out of an abundance of caution.”
Supervalu is the latest major retailer to be hit by cyberthieves; Target, Neiman Marcus, Michael’s Stores, Goodwill and others have been hit, too.
Avivah Litan, a fraud analyst at information technology firm Gartner, said it’s only the tip of a much larger iceberg.
“There’s a lot of this going on that I don’t think we hear about,” Litan said, later adding, “It’s so pervasive now, it’s getting crazy.”
She said she believes the nation’s card-processing systems now are so badly compromised that, whenever a credit or debit card is used, there’s about a 20 percent chance that malware is capturing the card’s information.
The soaring number of breaches alarms retailers and makes consumers resentful, but it’s becoming less shocking with each new disclosure.
“It happens to everybody these days,” said George John, associate dean of the Carlson School of Management at the University of Minnesota.
“I’m not sure they (Supervalu) are going to take any hits for that. More depends on their ability to respond to something that’s almost commonplace these days.”
But John said he does see an impact — on the trust consumers place in electronic payment systems that once seemed secure.
“Clearly, these repeated breaches are going to erode the general trust in these systems,” he said.
The Supervalu breach affected 209 stores among all five of its supermarket chains: Cub Foods and its franchisees in Minnesota, along with Farm Fresh, Hornbacher’s, Shop ‘n Save and Shoppers Food & Pharmacy.
Supervalu said criminals had breached “the portion of its computer network that processes payment card transactions.”
Supervalu is offering affected customers a year of complimentary consumer identity protection services via AllClear ID. Supervalu also has created a call center to help answer customer questions about the data breach and the identity protection services being offered.
The call center number is 855-731-6018. On Friday, callers heard a recorded message giving details about the breach and that operators would be available starting Monday.
As news of the Supervalu breach broke, one customer posted on Cub’s Facebook page, “So you guys can email me nearly every day about your ‘deals,’ but you don’t let me know that your data center was breached and that my credit card was potentially exposed? Wow, thanks.”
The Wall Street Journal, citing unnamed sources close to the case, reported that the Supervalu breach “may have resulted from hackers installing malicious software on to the company’s point-of-sale network.” That network includes the cash registers and terminals where consumers scan their credit and debit cards.
A similar cyberattack hit Minneapolis-based Target Corp. during the holiday season last year, when hackers stole credit and debit card information from 40 million shoppers. An additional 70 million Target shoppers had other personal information stolen.
Millions of those stolen card numbers from Target were later offered for sale online to other criminals.
Fallout from the Target breach continues. CEO Gregg Steinhafel was fired in the spring and was replaced this week by Brian Cornell. Target also has been struggling to win back shoppers and has missed its financial goals since the breach occurred.
The Wall Street Journal reported that the Supervalu breach might affect up to 1,000 stores, because Supervalu continued to provide information technology services to some Albertson’s and New Albertson’s stores.
Supervalu doesn’t think the data breach affected its Save-A-Lot stores or any independent grocery stores supplied by the company, aside from some Cub Foods franchisees.
It also said a handful of Cub Foods stores were not affected because they were owned by a franchisee that used a different payment system.
Once it learned of the breach, the company said, it took immediate steps to secure its network. Supervalu said Friday that its investigation was continuing.
“The intrusion was identified by our internal team, it was quickly contained, and we have had no evidence of any misuse of any customer data,” Supervalu CEO Sam Duncan said in a statement.
“I regret any inconvenience that this may cause our customers but want to assure them that it is safe to shop in our stores.”
Litan, the fraud analyst, said chip-and-PIN technology, considered more secure than the commonly used magnetic strips, is coming to credit and debit cards, but it’s still years away from full adoption.
Yet there are precautionary steps card issuers and processors can take in the meantime, such as end-to-end encrypting of card information, she said.
As a consumer, Litan said, your options are more limited.
“Use cash,” she said.
If these thefts continue, Litan said, she expects digital alternatives to credit cards to become more popular.
“I think the payments world will look much different in 10 years,” she said.
On Wall Street, Supervalu shares fell nearly 3 percent, or 28 cents, to close at $9.31.
Associated Press reports were used in this story. Tom Webb can be reached at 651-228-5428. Follow him at twitter.com/TomWebbMN.
