NEW YORK (AP) — A data breach at Supervalu may have impacted as many as 200 of its grocery and liquor stores and potentially affected retail chains recently sold by the company in two dozen states, incuding Albertsons grocery stores in Oregon.
The announcement lengthens the list of retailers that have had security walls breached in recent months, including Target, P.F. Chang's and even the thrift store operations of Goodwill Industries International Inc.
Hackers accessed a network that processes Supervalu transactions, with account numbers, expiration dates, card holder names and other information possibly stolen, the company said. Those systems are still being used by the stores sold off by Supervalu last year for $3.3 billion, potentially opening up customer data at those stores as well.
The breach occurred between June 22 and July 17, according to Supervalu, which said it took immediate steps to secure that portion of its network.
The cards from which data may have been stolen were used at 180 Supervalu stores and liquor stores run under the Cub Foods, Farm Fresh, Hornbacher's, Shop 'n Save and Shoppers Food & Pharmacy names. Data may also have been stolen from 29 franchised Cub Foods stores and liquor stores. Those stores in North Dakota, Minnesota, Illinois, Virginia, North Carolina, Maryland and Missouri.
But Supervalu said that a related criminal intrusion occurred at the chain stores it sold to Cerebus Capital Management LP in March 2013, stores that Supervalu continues to supply with information technology services.
Those stores include Albertsons, Acme, Jewel-Osco, Shaw's and Star Market — and related Osco and Sav-on in-store pharmacies in two dozen states.
Cerebus affiliate AB Acquisition said that it's working closely with Supervalu to evaluate the scope of the potential breach.
Supervalu has yet to determine if any cardholder data was actually stolen and said Friday that there's no evidence of any customer data being misused. Information about the breach was released out of "an abundance of caution," the company said.
The company believes that the intrusion has been contained and it said it is confident that people can safely use credit and debit cards at its stores.
Supervalu and AB Acquisitions are offering customers whose cards may have been affected a year of consumer identity protection services via AllClear ID.
Supervalu has also created a call center to help answer customer questions about the data breach and the identity protection services being offered. The call center can be reached at (855) 731-6018. Customers may also visit Supervalu's website under the Consumer Security Advisory section to get more information about the data breach and the identity protection services.
There are efforts underway to make credit and debit cards more secure following a rash of security breaches in recent months.
Target Corp. said this month that expenses tied to a breach leading up to last year's holiday shopping season could reach as high as $148 million. The incident led to a major shakeup at the company and CEO Gregg Steinhafel resigned.
Restaurant operator P.F. Chang's confirmed in June that data from credit and debit cards used at its restaurants was stolen. There have been smaller breaches at Neiman Marcus and Michaels Stores Inc.
Shares of Supervalu shed 33 cents to $9.26 in afternoon trading.
Copyright 2014 The Associated Press
Here's the press release from AB Acquisition LLC:
AB Acquisition LLC, which operates Albertsons stores under Albertson’s LLC and ACME Markets, Jewel-Osco, and Shaw’s and Star Markets under New Albertson’s, Inc., recently learned of an unlawful intrusion to obtain credit and debit card payment information in some of its stores.
The appropriate federal law enforcement authorities have been notified, and AB Acquisition is working closely with its third party IT services provider, SUPERVALU, to better understand the nature and scope of the incident.
Third-party data forensics experts are supporting an ongoing investigation. AB Acquisition has not determined that any cardholder data was in fact stolen, and currently it has no evidence of any misuse of any such data.
AB Acquisition believes that the intrusion has been contained and is confident that its customers can safely use their credit and debit cards in its stores.
Based on the latest information from the ongoing investigation, it appears that the period of unauthorized access may have started on June 22, 2014 (at the earliest) and ended on July 17, 2014 (at the latest).
Based on information we have at this time, Albertsons stores in Arizona, Arkansas, Colorado, Florida, Louisiana, New Mexico, Texas and our two Super Saver Foods Stores in Northern Utah were not impacted by this incident.
However, Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah were impacted. In addition, ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois and Indiana; and Shaw’s and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island were all impacted by this incident.
“We know our customers are concerned about the security of their payment card data, and we work hard to protect it,” said Mark Bates, Senior Vice President and Chief Information Officer at AB Acquisition LLC. “As soon as we were notified of the incident, we began working closely with SUPERVALU to determine what happened. It’s important to note that there is no evidence at this point that consumer data has been misused.”
Continued Bates, “We understand the inconvenience and concern an incident like this can cause, and we deeply regret that our customers’ data was targeted. ”
Given the continuing nature of the investigation, it is possible that time frames, locations and/or at risk data in addition to that described above will be identified in the future.
More information will be available on the websites at albertsons.com, acmemarkets.com, jewelosco.com, and shaws.com within 24 hours. Although it has not yet been determined whether any cardholder data was in fact stolen, and there is no evidence to date of any misuse of such data, AB Acquisition LLC is offering customers whose payment cards may have been affected 12 months of complimentary consumer identity protection services through AllClear ID. Customers may visit the websites listed above for further information about the incident and about complimentary consumer identity protection services being offered, or call AllClear ID at 1-855-865-4449 beginning at 2:00pm MT (4:00pm ET) on August 20, 2014. (PLEASE NOTE: This has been edited from August 15, 2014. Customers with other issues or questions are welcome to call our Customer Center at 1-877-932-7948 in the interim)|
A free copy of your credit report can also be obtained from each of the credit bureaus once a year by going to http://www.annualcreditreport.com or calling 877-322-8228. Hearing impaired consumers can access TDD services at 877-730-4104. We encourage you to monitor these reports, as well as your credit and debit card statements. You may also place a fraud alert or security freeze on your credit report by contacting the credit bureaus as listed below.
About AB Acquisition LLC
Established in 2006, AB Acquisition LLC (“Albertsons”), which operates ACME, Albertsons, Jewel-Osco, Lucky, Shaws, Star Market and Super Saver, and stores under the United Family of stores, Amigos, Market Street and United Supermarkets, is working to become the favorite food and drug retailer in every market it serves. The company is privately owned by Cerberus Capital Management, Kimco Realty Corporation, Klaff Realty, Lubert-Adler Partners, and Schottenstein Stores Corporation, and operates 1,060 stores and 14 distribution centers in 29 states and employs approximately 115,000 associates. For more information, please visit www.Albertsons.com.
You may also contact the Federal Trade Commission for more information toll-free at 1-877-ID-THEFT (438-4338) (TTY: 1-866-653-4261), by email at http://www.consumer.ftc.gov/features/feature-0014-identity-theft, or writing to Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.
A free copy of your credit report can be obtained from each of the credit bureaus once a year by going to http://www.annualcreditreport.com or calling 877-322-8228. Hearing impaired consumers can access TDD services at 877-730-4104. We encourage you to monitor these reports, as well as your credit and debit card statements. You may also place a fraud alert or security freeze on your credit report by contacting the credit bureaus as listed below.
EquifaxP.O. Box 740241Atlanta, GA 30374
ExperianP.O. Box 9554Allen, TX 75013
TransUnionP.O. Box 6790Fullerton, CA 92834
A security freeze will prevent new credit from being opened in your name without the use of a personal identification number or password that will be issued by the credit bureaus after you initiate the freeze. A security freeze will also prevent potential creditors from accessing your credit report without your authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, mortgages, employment, housing or other services. In order to place a security freeze, you may be required to provide the credit bureaus with information that identifies you, including your full name, social security number, date of birth, current and previous addresses, a copy of your state-issued identification card, and a recent utility bill, bank statement or insurance statement. Credit bureaus may charge a fee up to $10 to place, lift, or remove the security freeze; however, this fee may be less in certain states (in MA, up to $5) or waived if you are the victim of identity theft and you provide a valid police report. You must separately place a security freeze on your credit file with each credit reporting agency.