The Minnesota-based company says it believes an intruder, between late August and early September, installed malware into the portion of its computer network that processes payment card transactions at some of its Shop ’n Save, Shoppers Food & Pharmacy and Cub Foods owned and franchised stores, including some of its associated stand-alone liquor stores. The company says this was a separate intrusion from the one announced Aug. 14. Upon recognition of the intrusion, the company says it took immediate steps to secure the affected part of its network and believes it has eradicated the malware. An investigation of this recently discovered incident is under way.
Supervalu says it believes that its enhanced protective technology significantly limited this recently discovered malware’s ability to capture data from payment cards where the malware was installed. Specifically, although the investigation is ongoing, Supervalu believes that this malware did not succeed in capturing data from any payment cards used at any stores other than at some checkout lanes at four Cub Foods franchised stores (see below).
The company says the malware was not installed at, and did not affect, any of its Farm Fresh or Hornbacher’s stores, any of its owned or licensed Save-A-Lot stores or any of the independent grocery stores supplied by the company through its Independent Business network (other than the affected Cub Foods franchised stores).
“We care greatly about our customers, and the safety of their personal information will continue to be a top priority for us,” said President and CEO Sam Duncan. “We’ve taken measures to install enhanced protective technology that we believe significantly limited the ability of this malware to capture payment card data and we will continue to make these investments going forward.”
Malware at franchised Cub Foods stores
The malware potentially captured data from payment cards used at some checkout lanes in four franchised Cub Foods stores in Hastings, Shakopee, Roseville (Har Mar) and White Bear Lake, Minn., where implementation of enhanced protective technology had not yet been completed. For these four stores, Supervalu says it believes that the malware may have been successful in capturing account numbers and, in some cases, also the expiration date, other numerical information and/or the cardholder’s name from payment cards used at some checkout lanes from Aug. 27 (at the earliest) through Sept. 21 (at the latest); however, the company says it has made no determination that any cardholder data was in fact stolen by the intruder.
The investigation is ongoing and Supervalu says it is possible more locations may be impacted.
Although Supervalu has not determined that any cardholder data was in fact stolen by the intruder at the four franchised Cub Foods stores, the company is offering customers who used their payment cards at those four stores during the relevant time period 12 months of complimentary consumer identity protection services through AllClear ID.
Customers are not responsible for counterfeit fraudulent charges on their credit cards or debit cards that are timely reported. Accordingly, if customers become aware of such activity, Supervalu says they should contact their issuing bank immediately.