Identity thieves hit N. California grocery chain

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.fresnobee.com/2011/12/06/2639518/id-thieves-hit-san-francisco-bay.html

MODESTO, Calif. -- Scores of employees and customers of a supermarket
chain have had their account information compromised after thieves
tampered with debit and credit card readers in self-checkout lines in
Northern California.

Lucky Supermarkets, which disclosed the breach Monday, said some 300
customers were affected at 23 of its San Francisco Bay Area stores,
and some had money stolen from their accounts.

Lucky Supermarkets is part of Modesto-based Save Mart Supermarkets,
which operates more than 233 stores in Northern California and
Northern Nevada.
Police in Petaluma said at least 57 people reported money being stolen
from their bank accounts after using a self-checkout line and using
VeriFone card readers. The average loss appeared to be about $500, and
the money was withdrawn throughout California, including in the San
Francisco, Santa Barbara and Northridge areas, and Reno, Nev., police
said.

Alicia Rockwell, a spokeswoman for Lucky Supermarkets, said 1,500
inquiries had come into the company's call center as of Tuesday. She
said of those, about 300 customers were claiming that they either had
some unauthorized activity on their credit or debit cards, or some
attempt of unauthorized activity.

Stephen Ackerman, chief financial officer of Save Mart, said the U.S.
Secret Service Electronic Crimes Task Force is investigating the
clandestine data "sniffers" attached to the card readers.

"All the devices are now down in Tulsa, Okla., at the Secret Service
lab, (where they're) trying to read the data on the chips," Ackerman
said. "The VeriFone people said it was the most sophisticated device
they've ever seen so far as a sniffer."

VeriFone said it would not comment on the case. The Secret Service did
not return calls.

Criminals typically have to steal the card readers to get the data,
but in this case, the masterminds were retrieving data through a
Bluetooth device, Ackerman said.

"There are several hundred thousands of these units in the United
States, probably the world; and now they're all vulnerable," he said.

Ackerman said suspicions first emerged Nov. 11, when an employee
performing routine maintenance discovered a suspicious card reader,
prompting a sweep of all of Lucky Supermarkets stores.

Rockwell said one reader at each store was affected.

The company does not know how far back the data theft goes. But it is
advising customers who used a self-checkout lane in October or
November to close their accounts.

The VeriFone units were installed in 2007.

"It's very easy nowadays for people to steal your identity," John Lee,
who was shopping Tuesday at the Lucky's store on Blossom Hill Road in
San Jose, told the San Jose Mercury News. The 60-year-old engineer
said he'd heard about the hacking on the TV news and had brought cash
to the checkout counter.
"I'm scared they're going to steal my money," he said.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/