Constant vigilance by everyone.
That's what cyber security experts advised Friday after hackers breached computers at more than 1,000 grocery and liquor stores currently or formerly owned by Eden Prairie-based Supervalu.
Even as the country catapults toward a cashless society, experts concede that merchants and banks will never be able to fully protect consumers from computer crime.
"The only secure computer is one that is unplugged and locked up in a dark room with no windows," said Chad Boeckmann, chief executive of Secure Digital Solutions.
The Supervalu attack follows incidents at Michaels Stores, P.F. Chang's and other stores and restaurants. Minneapolis-based Target suffered a breach late last year in which hackers obtained information of one kind or another on as many as 110 million people.
Ed Mierzwinski, consumer project director at the Public Interest Research Group, said the trend shows the need for continuous, thorough checks of each link in the purchase chain.
"The hackers keep getting smarter," he said.
Experts say the Supervalu breach offers yet more evidence that credit- and debit-card technology must quickly be improved by installing computer chips and requiring personal identification numbers that make it harder to use stolen cards to make purchases. Companies that sell also must identify the most vulnerable points in their information technology systems and immediately upgrade and monitor them. But ultimately, it also means that no one making a cashless purchase can rest easy.
"Data can't be completely protected if it is accessible over the Internet," explained Boeckmann, whose Minneapolis-based company advises corporate clients.
In a news release posted Friday on its Internet homepage, Supervalu said it has not determined if hackers stole data after getting into its system. The company "has no evidence of any misuse of any such data, but is making this announcement out of an abundance of caution."
It urged customers to "be vigilant and closely review or monitor your bank and credit card statements, credit reports, and other financial information for any evidence of identity theft or other unusual activity" and to tell their banks immediately if they saw anything strange.
Mierzwinski went a step further and said Supervalu customers should put their banks on notice right now that there may be problems.
Boeckmann credited Supervalu for more initial transparency in reporting its credit breach than Target, which, according to Boeckmann, used "a drip-by-drip information approach."
"Other companies got to learn from Target," he said.
Target lost sales, was subjected to congressional hearings and ended up replacing its chief information officer — and, eventually, its CEO — as information emerged about missed warnings, gaps in its computer security system and delays in customer notifications.
Because of what happened to Target, many companies now operate from the assumption that their systems have already been compromised and go looking for breaches, Boeckmann said. The process allows corporate information security officers to act rather than react. Even where they don't find intruders in their systems, he added, they discover and reinforce weak spots.
But for now, nothing protects consumers entirely. The need to carefully scour monthly credit- and debit-card statements for irregularities is more important than it has ever been for those who want to avoid the headaches and possible expense of information and identity theft.
Many consumer advisers, including Mierzwinski, caution against using debit cards for retail and online purchases. Credit-card contracts generally limit the responsibility of card holders to pay for illegal purchases. Debit cards, which draw funds directly from checking accounts, often do not. Even when consumers can get banks to refund money to their checking accounts, the process can take weeks.
"This consumer only uses his credit card at the store," Mierzwinski said, referring to himself, "because credit cards have protections that debit cards do not."