Supervalu’s Data Breach Puts Focus on Beefed-Up Card Security

Data breach at SupervaluA data breach involving Supervalu Inc. that hit customers of nearly 1,000 grocery stores around the U.S. is likely to intensify a push by banks and retailers to introduce a new generation of credit cards designed to be more secure.

Source: Source: WSJ | Published on August 18, 2014

cyber risk management

A string of high-profile intrusions at retailers such as Target Inc. and Neiman Marcus Group and restaurant chain P.F. Chang's China Bistro Inc. had already kick-started a drive to roll out cards embedded with microchips, which are widely used around the world.

This latest breach consumers remain vulnerable to the loss of personal information while banks and retailers make the slow and costly swap of millions of computer terminals and more than one billion cards tucked into Americans' wallets. Americans carry fewer than 50 million chip cards, according to industry estimates.

Supervalu on Friday confirmed it is investigating a data breach at roughly 200 of its grocery and liquor stores that operate under the brands Cub Foods, Farm Fresh, Hornbacher's, Shop 'n Save and Shoppers Food & Pharmacy. The breach was reported by The Wall Street Journal on Thursday.

The Eden Prairie, Minn.-based company said the breach also extended to store brands it sold last year to AB Acquisition LLC, which is owned by private-equity firm Cerberus Capital Management. Supervalu provides technology services to those stores, which include Albertsons, Acme Markets, Jewel-Osco, Shaw's and Star Markets brands, in roughly two dozen states.

AB Acquisition said it was working with Supervalu "to better understand the nature and scope of the incident." It wasn't immediately clear exactly how many of its more than 1,000 stores were affected. "We deeply regret that our customers' data was targeted," said Mark Bates, senior vice president and chief information officer at AB Acquisition in a statement.

A chip card has a small computer chip embedded on the front, in addition to the magnetic stripe on the back. While traditional magnetic strips contain static data, such as a customer's account number, the chip scrambles data as the transaction occurs. Such technology wouldn't prevent a breach, but it would make the card data essentially useless for thieves, who typically take the information and produce counterfeit cards.

The chip-card push comes at a time when Americans increasingly are using plastic, especially debit cards, as a replacement for cash in everyday transactions.

"These kinds of events are just reinforcement for the need to speed the pace" of chip-card adoption, said Chris McWilton, president of North America operations at MasterCard Inc.

Chip cards already have been used for years in Europe, Asia and Canada, resulting in a steep drop in card fraud, according to industry analysts.

Supervalu described the latest breach as a "criminal intrusion" that might have resulted in the theft of account numbers, expiration dates and cardholder names from customers who used plastic at the stores.

"The company has not determined that any such cardholder data was in fact stolen by the intruder, and it has no evidence of any misuse of any such data, but is making this announcement out of an abundance of caution," Supervalu said. The company is investigating and is working with federal authorities.

It isn't clear if the stores hit in the breach were equipped to accept the new card technology.

Representatives of Supervalu and the other stores couldn't be reached for comment on whether they have the chip technology at the affected stores.

Wal-Mart Stores Inc. WMT -0.66% is one of the few major retailers that have installed chip-card terminals in thousands of its U.S. stores.

But even if the grocery checkout lines had the terminals to accept chip cards, most Americans don't yet have them in their wallets. Banks are moving quickly to change that. The number of chip cards in circulation is forecast to rise to 575 million by the end of 2015, representing about half of the U.S. cards in circulation, according to estimates released on Wednesday by a banking industry group. Big banks increasingly are issuing chip cards to new customers and to existing customers as their current cards expire.

"There is a real enthusiasm among the banks to get going on this," said Ellen Richey, vice chairman of risk and public policy at Visa Inc. V -1.10%

Retailers are often among the leading victims listed in Verizon Communications Inc.'s data breach report, which takes data from Verizon's investigations team, other security companies and law enforcement. Last year, it counted 198 successful point-of-sale intrusions, although it said the figure was down from the year before.

As of this year, 47 states had passed laws requiring businesses eventually to disclose theft of personal data.

The chip-card rollout is a big change for retailers that typically operate on razor-thin margins, many of which have skimped on computer security for years, said security experts who have worked on large-scale breaches.

At major chains, stores are often connected both to each other and to a central hub-forming a network akin to a bicycle wheel, breach investigators said. Although this enables stores to talk to each other more easily, it also allows hackers who break into one store gain access to dozens of other stores.

"Once you get into that network, everything is Swiss cheese," said Dmitri Alperovitch, chief technology officer of CrowdStrike Inc., a cybersecurity company. Retailers, he said, "typically have old machines that are out in the field and hard to manage and secure."

Hackers also often steal payment-card numbers the instant they are read by a card reader but before they're encrypted, or scrambled, by store computers.

Last month, the Homeland Security Department released an extensive report on how cybercriminals targeting retailers found security holes in software that lets workers log into corporate networks from afar.

The problem: Since retail networks are so interconnected, the hackers eventually can work their way over to payment-card data from systems meant for remote workers and contractors.

Despite the rash of attacks recently, people who were shopping Friday at stores that may have been affected by the latest breach didn't express much concern about the latest incident.

"This already happened at Target, so it's not a surprise," said Beth Torres, a 22-year-old medical assistant and student shopping at Jewel-Osco in Chicago on Friday. "It's still a big deal, but it's just sort of expected now."

Shoppers also are aware that they aren't responsible for unauthorized purchases made on debit and credit cards.

"I don't really worry about it. It doesn't prevent me from shopping somewhere," said Brandi Coleman, 39 years old, who was shopping at the same store.