Grocery giants Albertsons and SUPERVALU announced yesterday that a data breach may have exposed the credit and debit card information of an unknown number of its customers at various grocery store locations in more than 18 states.
Behind Kroger’s, Albertsons is the second largest grocery store chain in the United States. SUPERVALU is third. AB Acquisitions LLC, the company that operates the Albertsons grocery store empire, posted a data breach notification on their website Thursday, saying it had “recently learned of an unlawful intrusion to obtain credit and debit card payment information in some of its stores.” SUPERVALU wrote essentially the same.
The breach apparently began as early as June 22 and lasted until July 17 of this year at the latest.
AB Acquisitions is saying that Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah were impacted. In addition to those, ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey are said to be involved. Customers from Jewel-Osco stores in Iowa, Illinois and Indiana are affected. And Shaw’s and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island were all affected by this incident.
SUPERVALU is saying that 180 of its Cub Foods, Farm Fresh, Hornbacher’s, Shop ’n Save and Shoppers Food & Pharmacy supermarket and liquor store locations are impacted.
AB Acquisitions says it has notified the appropriate law enforcement agencies and is working with SUPERVALU, who it identifies as “its third party IT services provider,” to better understand the nature and scope of the compromise.
SUPERVALU owned and operated Albertsons, Acme, Jewel-Osco, Shaw’s and Star Market stores until a 2013, $3.3 billion sale to AB Acquisitions, which is an affiliate of Cerberus Capital Management, according to the Associated Press.
Threatpost reached out to an Albertsons spokesperson, but a request for comment was not returned by the time of publication.
In its own notification, SUPERVALU claims the “criminal intrusion may have resulted in the theft of account numbers, and in some cases also the expiration date, other numerical information and/or the cardholder’s name from payment cards used at some point of sale systems at some of the Company’s owned and franchised stores.”
Both companies say they have no evidence that stolen payment card information is being misused at this time.
“The safety of our customers’ personal information is a top priority for us,” said SUPERVALU President and CEO Sam Duncan. “The intrusion was identified by our internal team, it was quickly contained, and we have had no evidence of any misuse of any customer data. I regret any inconvenience that this may cause our customers but want to assure them that it is safe to shop in our stores.”
“We know our customers are concerned about the security of their payment card data, and we work hard to protect it,” said Mark Bates, Senior Vice President and Chief Information Officer at AB Acquisition LLC. “As soon as we were notified of the incident, we began working closely with SUPERVALU to determine what happened. It’s important to note that there is no evidence at this point that consumer data has been misused.”
As is the data breach standard, both companies are offering affected customers one year of free credit monitoring services.
“Albertsons 4” by Original uploader was Caldorwards4 at en.wikipedia – Transferred from en.wikipedia; transferred to Commons by User:Xnatedawgx using CommonsHelper.. Licensed under CC BY-SA 3.0 via Wikimedia Commons.