American retailer Supervalu has said it has no evidence of any misuse of customer data, as it said it was investigating a potential data breach.
According to Reuters, Supervalu CEO Sam Duncan said in a statement: “I regret any inconvenience that this may cause our customers, but want to assure them that it is safe to shop in our stores.”
It suspected that the intrusion may have resulted in the theft of account numbers and other numerical information from payment cards used at some point-of-sale systems at the company’s owned and franchised stores. The data breach appears to have taken place during the period between June 22nd and July 17th, the retailer said.
“The intrusion was identified by our internal team, it was quickly contained”, Duncan said. Supervalu said that the intrusion may have resulted in the theft of account numbers and in some cases, also the expiration date, other numerical information and/or the cardholder’s name, from payment cards used at some point of sale systems at some of the Company’s owned and franchised stores.
According to NASDAQ, Minneapolis-based Supervalu, which has 3,320 stores in all, hasn’t notified customers about the potential incident, as merchants often do not alert customers about breaches until they know the scope of the attack.
The intrusion may also have resulted in the theft of such cardholder data from some cards used during this period at 29 franchised Cub Foods stores and stand-alone liquor stores, which are included in the store list referenced on the Supervalu website.
Mark Bower, VP at Voltage Security, said: “By now, every retailer is aware of the risks of malware in the POS, the impact, and the simple fact being compliant to PCI doesn’t equate to mitigating advanced threats that no doubt again stole the gold in this case.
“The only way to neutralise this risk is to avoid any sensitive data passing in and through the vulnerable POS or retail IT. Hundreds of thousands of merchants already do this today with proven approaches using the latest innovations in data-centric security and are able to brush off such attacks like water off a ducks back. These risks are totally avoidable – and at a fraction of the cost of the fallout from dealing with the consequences.”
Earlier this week, it was revealed that the Target breach will cost the retailer $148 million in expenses related to the breach, of which $38 million will be recovered via an insurance payout.
George Anderson, Director at Webroot, welcomed the way that SuperValu had handled the incident, after numerous companies experienced harsh criticism for covering up breaches and not being transparent with customers, leaving them vulnerable to phishing attacks.
“SuperValu on the other hand, is a brilliant example of how a breach should be managed – openly providing information, informing customers, opening the investigation and offering free identity management service for those who could have been affected by the breach,” he said.
“Such actions show that the company has the right attitude to cyber security – accepting the fact that a cyber-attack is a matter of time, rather than a possibili
ty and ensuring the right mitigation plans are put in place should the worse happen.”