Supervalu Inc. warned Friday that hackers attacked computer systems containing customer information from 1,016 grocery and liquor stores around the country, including 60 stores in Minnesota.
Three Cub Foods stores in St. Paul were affected, while no breaches were reported in Minneapolis. Many of the other Minnesota stores were in suburbs like Arden Hills, Apple Valley, Bloomington, Brooklyn Park, Burnsville, Blaine, Maplewood and Plymouth.
There is no evidence as yet that actual cardholder information was stolen or misused, Supervalu said. Spokesman Jeff Swanson said the company decided to notify customers “out of an abundance of caution.”
The exposure occurred between June 22 and July 17, the Eden Prairie-based company said.
It affected 180 Supervalu stores in Illinois, Minnesota, Missouri, North Carolina, North Dakota and Virginia. Those stores operate under the names of Cub, Farm Fresh, Hornbacher’s, Shop ‘n Save and Shoppers Food & Pharmacy. The company’s Save-A-Lot stores were not breached.
Cyberthieves also attacked the data system of AB Acquisition LLC, the firm formed when Supervalu sold Albertsons and other groceries last year. Supervalu continues to provide technology services to the 836 stores — operating under the names Albertsons, ACME Markets, Jewel Osco, Shaw’s and Star Markets — that were affected in 21 states.
Supervalu declined to say exactly when the breach was discovered. The company and federal authorities are investigating exactly how the breach occurred.
It is the latest in a string of cyberattacks against large retailers and consumers. Target Corp. experienced a breach during the 2013 holiday shopping period that exposed the financial and personal data of 70 million customers and has cost the Minneapolis-based retailer $235 million to date, about $90 million of which is expected to be covered by insurance.
Michaels Stores, Neiman Marcus, P.F. Chang’s and other stores and restaurant firms all experienced cyberattacks in recent months. Last week, the New York Times reported that a group of Russian hackers stole 1.2 billion user names and passwords from thousands of websites owned by retailers and Fortune 500 companies.
Jacob Ansari, a data forensics manager at Sikich LLP’s 403 Labs in Brookfield, Wis., said consumers would ultimately bear little cost if the attack on Supervalu and AB Acquisition leads to fraudulent use of credit cards. Most issuers of credit cards hold the consumer liable for only $50 of fraudulent activity.
Instead, Ansari said, Supervalu and card issuers could wind up with the bigger bill.
“They will have whatever it costs to investigate the incident and the cost to reissue the affected cards. That could be $3 to $11 just to reissue each card,” Ansari said. “The cost could be pretty big depending on how many cards were involved.”
Ansari said the case stood out from other cyberattacks because it affected data systems across company lines.
“The interesting thing is that an organization can sell off something, but the technology can stay the same,” Ansari said. “You can have a payment-card acceptance system that stays constant even though the business changes hands. If that happens, then the vulnerabilities may potentially stay constant as well.”
Supervalu CEO Sam Duncan said in a statement that the “safety of our customers’ personal information is a top priority for us. The intrusion was identified by our internal team, it was quickly contained and we have had no evidence of any misuse of any customer data. I regret any inconvenience that this may cause our customers.”
The company said it would provide 12 months of free identity protection services through AllClear ID to customers who asked. A call center will be staffed beginning Monday to answer customers’ questions. That number is (855) 731-6018. Until Monday, concerned customers are being directed to the company website, where a list of the affected stores is posted, Swanson said.
Cyberattacks also create other financial and public relations risks for companies. In Target’s case, the breach last November and December reduced sales just before Christmas and, months later, contributed to the departure of several executives, including its top leader, Gregg Steinhafel.
Ansari said Target’s case was unique because there was little time between the breach and when fraudulent activity began to appear with its customers’ credit cards.
Normally, it takes months for fraud to appear because the stolen data is sold and resold among criminals. “By that time, a financial institution has usually flagged the transaction, canceled the card and issued a new one,” Ansari said.