SUPERVALU has been breached again.
The announcement comes after the Minnesota-based company stated in August that anyone who ran credit and debit cards through point-of-sale (POS) devices in more than 200 of its nationwide shops may have had personal information stolen – notably payment card data.
SUPERVALU is the IT services provider for AB Acquisition LLC, which was notified that it too has been breached for a second time. AB Acquisition LLC – operator of Albertsons, ACME Markets, Jewel-Osco, and Shaw's and Star Market – also announced in August that it experienced a payment card breach.
In a Monday consumer security advisory and updated FAQ, SUPERVALU stated that it experienced a “separate criminal intrusion” involving different malware being installed on the computer network that processes payment card transactions at some of its Shop ‘n Save, Shoppers Food & Pharmacy and Cub Foods stores, as well as some of its associated stand-alone liquor stores.
“[SUPERVALU] believes this was a separate intrusion from the one announced on August 14,” according to the advisory. “Upon recognition of this intrusion, the Company took immediate steps to secure the affected part of its network and believes it has eradicated the malware.”
Although an investigation is ongoing, SUPERVALU said it believes that the malware did not capture payment card data from any stores with the exception of at some checkout lanes at four Cub Foods locations in Minnesota – and even that has yet to be confirmed, the advisory indicates.
The malware may not have been able to steal the card information because the company had installed “enhanced protective technology that we believe significantly limited the ability of this malware to capture payment card data,” according to a statement from Sam Duncan, CEO of SUPERVALU.
On Monday, Steve Hultquist, chief evangelist at RedSeal Networks, told SCMagazine.com that the “enhanced protective technology” could have been some kind of application layer security, a SIEM, or a modern firewall.
That technology had yet to be implemented at the four Cub Foods locations in Minnesota, which is why the malware may have been able to compromise cardholder names, account numbers, expiration dates, other numerical information from payment cards used between Aug. 27 and Sept. 21, the advisory indicates.
In a Monday post, AB Acquisition LLC stated that the same information may have been compromised between the same timeframe from Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah.
Additionally, ACME Markets locations in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois and Indiana; and Shaw's and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island were affected, the post indicates.
"At this time there has not been a determination that any payment card data was in fact stolen as a result of either incident," according to the post. "Measures have been taken to prevent further use of this new and different malware in the affected store locations. We are also implementing additional measures to enhance the protection of customer payment card data."
Potentially impacted customers in both cases are being offered identity theft protection services.
Understanding the network, making sure security controls are properly configured and planning well ahead of time are pivotal to reducing the risk of these types of incidents, Hultquist said, adding that defense must expand from reactive monitoring and alerting to automated prevention through analyzing the entire end-to-end network.