Schnucks 'found and contained' security breach; stores say it's safe to use cards

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.bnd.com/2013/03/30/2556873/schnucks-found-and-contained-security.html

Schnucks announced Saturday that it "found and contained" a security
breach that led hundreds of customers in the metro-east and St. Louis
to be victims of credit and debit card fraud.

The company said it once again is safe to use credit and debit cards
at the grocery stores.

The chain of 100 stores hired a computer forensic firm that worked
nonstop until it discovered evidence of a computer code that captured
the magnetic stripe data on the back of payment cards, according to
Lori Willis, spokeswoman for Schnuck Markets Inc.

"After an extensive review, we confirmed that Schnucks was the victim
of a cyber attack," said Scott Schnuck, chairman and chief executive
officer.

The investigation now will focus on the length of time the issue
existed, which stores were affected and how many customers were
victims.

News of a fraud scam connected to Schnucks became public last week.
Customers who shopped at stores throughout St. Louis were determined
to be victims, as well as several customers who shopped at the
Schnucks in Swansea.

Anna Perret and her husband, of Swansea, discovered about $10,000
missing from their bank accounts after using their debit card at the
Swansea location.

"We have identified the issue and taken comprehensive measures to
contain the incident," Schnuck said. "We are cooperating with law
enforcement, the Missouri Attorney General's Office, and the credit
card companies to determine the scope and magnitude of this crime and
apprehend those individuals making fraudulent purchases.

"We have been told by the computer forensics expert that the security
enhancements we have implemented in the last 48 hours are designed to
block this attack from continuing," he continued. "Our customers can
continue using credit and debit cards at our stores."

Schnucks advised that if customers suspect their cards may have been
compromised, they immediately should contact their bank, credit union
or other financial institution that issued their credit or debit
cards.

Even though Schnucks has contained the attack, any card that already
was compromised still could experience fraud. Once Schnucks identified
which cards may have been accessed, it will work with credit card
companies and banks so they can take preventative measures, Willis
said.

Even if a customer has not noticed fraudulent charges, the bank may
choose to cancel and reissue a new card, Willis said.

"We apologize for any inconvenience this may have caused our
customers, and we thank each of them for their patience while we
worked hard to investigate their concerns," Schnuck said.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.