Supervalu has experienced a criminal intrusion into the portion of its computer network that processes payment card transactions for some of its retail food stores, including some of its associated stand-alone liquor stores. The intrusion may have resulted in the theft of account numbers, and in some cases also the expiration date, other numerical information and/or the cardholder’s name, from payment cards used at some point of sale systems at some of the company’s owned and franchised stores.
Supervalu has not determined that the intruder did steal cardholder data, it has no evidence of any misuse of the data and does not believe any other information may have been stolen. The company said it made the announcement out of an “abundance of caution.”
Supervalu has notified federal law enforcement authorities and the major payment card brands and is cooperating with their investigations.
Supervalu believes that the payment cards from which such cardholder data may have been stolen were used during the period of June 22 (at the earliest) through July 17 (at the latest), at the 180 Supervalu stores and stand-alone liquor stores listed at supervalu.com under the “Consumer Security Advisory” section, operated under the Cub Foods, Farm Fresh, Hornbacher’s, Shop ’n Save and Shoppers Food & Pharmacy banners. There also is a link to frequently asked questions about the intrusion on Supervalu’s website.
The intrusion also may have resulted in the theft of such cardholder data from some cards used during this period at 29 franchised Cub Foods stores and stand-alone liquor stores, which are included in the store list referenced on the Supervalu website.
Supervalu currently believes that the intrusion did not affect any of its owned or licensed Save-A-Lot stores or any of the independent grocery stores supplied by the company through its independent business network other than the franchised Cub Foods stores referenced above.
Supervalu said it took immediate steps to secure the affected part of its network. An investigation supported by third-party data forensics experts is ongoing to understand the nature and scope of the incident. Supervalu said it believes the intrusion has been contained and is confident that its customers can safely use their credit and debit cards in its stores.
“The safety of our customers’ personal information is a top priority for us,” said Supervalu President and CEO Sam Duncan. “The intrusion was identified by our internal team, it was quickly contained, and we have had no evidence of any misuse of any customer data. I regret any inconvenience that this may cause our customers but want to assure them that it is safe to shop in our stores.”
Given the continuing nature of the investigation, Supervalu said it is possible that time frames, locations and/or at-risk data in addition to those it has named will be identified in the future.
The company is offering customers whose payment cards may have been affected 12 months of complimentary consumer identity protection services through AllClear ID. Supervalu also has established a call center to answer customer questions about the intrusion and the identity protection services being offered. It will be staffed Monday-Saturday from 8 a.m.-8 p.m. (Central) and can be reached at (855) 731-6018. A recorded message is available with information regarding the intrusion. Customers also can visit supervalu.com under the Consumer Security Advisory section for additional information about the intrusion and the complimentary consumer identity protection services being offered through AllClear ID.
Customers are not responsible for counterfeit fraudulent charges on their credit cards or debit cards that are timely reported. Accordingly, if customers become aware of such activity, they should contact their issuing bank immediately.
Supervalu also has shared a “Consumer Identity Protection Reference Guide” outlining steps customers can take to protect their information. The company is urging its shoppers to be vigilant and closely review or monitor their bank and credit card statements, credit reports and other financial information for any evidence of identity theft or other unusual activity.
Some stores owned and operated by Albertson’s LLC and New Albertson’s Inc. suffered a related criminal intrusion (see more information below). Supervalu provides information technology services to those stores, but said any losses incurred by Albertson’s LLC or New Albertson’s Inc. as a result of the intrusion would not be Supervalu’s responsibility.
Supervalu maintains insurance for cyber threats, which it believes should mitigate the financial impact of these intrusions on Supervalu, including claims that might be made against the company based on these intrusions. Supervalu management does not believe that the ultimate outcome will have a material adverse impact on its consolidated results of operations, cash flows or financial position.
AB Acquisition Lists Impacted Store Banners
AB Acquisition LLC, which operates Albertsons stores under Albertson’s LLC, and New Albertson’s Inc., which operates stores under Acme Markets, Jewel-Osco, and Shaw’s and Star Market banners, also experienced the unlawful intrusion to obtain credit and debit card payment information in some stores.
AB Acquisition said the appropriate federal law enforcement authorities have been notified and that it is working closely with Supervalu, its third party IT services provider, to better understand the nature and scope of the incident. Third-party data forensics experts are supporting an ongoing investigation.
AB Acquisition has not determined that any cardholder data was in fact stolen and currently it has no evidence of any misuse of any such data. The company said it believes that the intrusion has been contained and that its customers can safely use their credit and debit cards in its stores.
Albertsons stores in Arizona, Arkansas, Colorado, Florida, Louisiana, New Mexico, Texas and two Super Saver Foods Stores in Northern Utah were not impacted by the incident, the company said, based on information it currently has. However, Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah were impacted.
Acme Markets in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois and Indiana; and Shaw’s and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island were all impacted by the incident.
“We know our customers are concerned about the security of their payment card data and we work hard to protect it,” said Mark Bates, SVP and CIO at AB Acquisition LLC. “As soon as we were notified of the incident, we began working closely with Supervalu to determine what happened. It’s important to note that there is no evidence at this point that consumer data has been misused. We understand the inconvenience and concern an incident like this can cause, and we deeply regret that our customers’ data was targeted.”
More information will be available at albertsons.com, acmemarkets.com, jewelosco.com, and shaws.com within 24 hours, the company said. AB Acquisition LLC is offering customers whose payment cards may have been affected 12 months of complimentary consumer identity protection services through AllClear ID.
Established in 2006, AB Acquisition LLC operates Acme, Albertsons, Jewel-Osco, Lucky, Shaws, Star Market and Super Saver banner stores as well as stores under The United Family, including Amigos, Market Street and United Supermarkets, The company is privately owned by Cerberus Capital Management, Kimco Realty Corp., Klaff Realty, Lubert-Adler Partners and Schottenstein Stores Corp., and operates 1,060 stores and 14 distribution centers in 29 states.