Slashdot Mirror

← Back to Stories (view on slashdot.org)

Supervalu Becomes Another Hacking Victim

Posted by Soulskill on from the another-day-another-breach dept.

plover sends this news about another possible exposure of customer data: Supervalu is the latest retailer to experience a data breach, announcing today that cybercriminals had accessed payment card transactions at some of its stores. The Minneapolis-based company said it had "experienced a criminal intrusion" into the portion of its computer network that processes payment card transactions for some of its stores. There was no confirmation that any cardholder data was in fact stolen and no evidence the data was misused, according to the company. The event occurred between June 22 and July 17, 2014 at 180 Supervalu stores and stand-alone liquor stores. Affected banners include Cub Foods, Farm Fresh, Hornbacher's, Shop 'n Save and Shoppers Food & Pharmacy.

27 comments

  1. Albertsons too by Anonymous Coward · · Score: 1

    Albertsons too

    http://www.chicagotribune.com/business/breaking/chi-report-jewel-osco-hacked-20140815-story.html

  2. No Surpris by TechyImmigrant · · Score: 2

    They can't even spell their own name.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  3. Why do they have this data in the first place? by Anonymous Coward · · Score: 0

    Aren't you supposed to delete this stuff as soon as you transmit it and receive payment confirmation?

    1. Re:Why do they have this data in the first place? by plover · · Score: 3, Informative

      There are typically two phases to processing credit. In the first phase, called authorization, the terminal sends the request to the bank via their processor and requests authorization: hey, bank, will you approve $100? The bank sends back a 'yes' which is returned to the terminal, but no money changes hands at this time. The processor saves up the day's batch of authorization requests.

      In the second phase, called settlement, the processor sends the batch to the bank, either later that night, or every few hours, or whenever. The bank then transfers the funds for every authorized transaction in the batch.

      This is different from debit, where the funds are transferred in a single step.

      --
      John
    2. Re:Why do they have this data in the first place? by Anonymous Coward · · Score: 0

      > Aren't you supposed to delete this stuff as soon as you transmit it and receive payment confirmation?

      One of the common "modern" hacks is to capture the data in transit. Like infecting the card-swipe machine to scrape the data out of RAM. So even when it isn't "stored" anywhere permanently the hackers still get copies. That was one of the techniques used against Target.

    3. Re:Why do they have this data in the first place? by wkk2 · · Score: 1

      Do chip and pin cards even work in the US? I've tried at Home Depot, Staples, Walmart, USPS, and even a small haircut place and the cards don't work. One place even yelled at me for trying to use the chip slot.

    4. Re:Why do they have this data in the first place? by plover · · Score: 1

      Chip and PIN cards don't work at most U.S. retailers today, but as of October 2015 the Payment Card Industry has scheduled a change to the contracts to in what is being called the "liability shift". It means that whoever has the least security in the payment chain will be held liable for non-payment or fraud for the charges incurred. So if Home Depot doesn't accept a chip card, and your bank's card has a chip on it, then Home Depot will be liable because their system is the least secure. Or if Home Depot's systems are able to accept the chip cards, but your bank's card doesn't have a chip, then your bank will be liable. This penalty is a huge financial incentive for both retailers and banks to upgrade the security of their systems to fully support Chip and PIN by that date so they don't get left holding the bag.

      Once Chip and PIN systems are deployed to most places, they will begin requiring the removal of mag stripes. That's when the final pieces of security will kick in, and account number theft will be essentially eliminated.

      --
      John
  4. In other news by TechyImmigrant · · Score: 4, Funny

    SuperValu are the the only ones. Targe, WallMar and Whole Food were also hacked.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re:In other news by Anonymous Coward · · Score: 0

      l2english noob.

    2. Re:In other news by TechyImmigrant · · Score: 1

      Oh noes

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    3. Re:In other news by uCallHimDrJ0NES · · Score: 1

      That's not how you spell Hole Foods.

      --
      Cloudiot: A person who does not see offsite storage as a way to lose control over access to his or her own data.
    4. Re:In other news by Loopy · · Score: 1

      If I had them, all my mod points are belong to you.

  5. Hannaford by Anonymous Coward · · Score: 0

    For those of you on the east coast, this is also the parent company of Hannaford.

  6. Between June 22 and July 17? by Anonymous Coward · · Score: 0

    So it went on for a month before anyone notice?

  7. Fun fact by Anonymous Coward · · Score: 0

    Supervalu means incredible pain in Estonian.

  8. I protest by Mister+Liberty · · Score: 1

    To the misuse of the word 'hacking'.

  9. vegetable section: IT offices by swschrad · · Score: 1

    fact is, it's a pretty soft underbelly, this electronic commerce thing. it's the system that's rotten, and the top bananas are way green in this stuff. going to be a lot of meat robots canned before electronic payments make the cut.

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
  10. Bah by Anonymous Coward · · Score: 0

    True hackers wouldn't need to physically break in.

  11. First Target, now this? by miller701 · · Score: 1

    What's going on with picking' on our nice Minnesota retailers? I guess Best Buy is next!

  12. New Disease Discovered by Anonymous Coward · · Score: 0

    It has no known symptoms. Said to afflict only those in New Jersey.

  13. What do all of these companies have in common? by WindBourne · · Score: 1

    1) They run Windows.
    2) they have outsourced to India esp. the production.
    3) nearly all of these companies do NOT operate in India, EXCEPT for hiring coders/admin.

    You have systems admin that are paid less than $8,000 / year. If you are Russia or China, would you spend large sums of money to break into a store to get access to a production system, all while having your insider possibly getting caught, OR, would you spend just 50K, approach an admin that is doing work on production and all s?he has to do, is release a worm quietly on the production, that will NOT hurt other employees?
    If we westerners, esp American MBAs, are dumb enough to oursource this work like this, we deserve what we are getting.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  14. Exactly. by WindBourne · · Score: 1

    It is cheaper and faster to simply buy an insider.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  15. For those thinking that these are insider jobs by WindBourne · · Score: 2
    BTW, for those that think that these were companies that were cracked by ppl walking into the stores, here you go
    www.chicagotribune.com/business/breaking/chi-report-jewel-osco-hacked-20140815-story.html

    The list of retailers that have been hit by breaches just this year includes Recreational Equipment Inc., CVS/Caremark, Goodwill Industries International Inc., Ebay, Aaron Brothers, Sally Beauty Supply, Home Depot, Sears, Michaels Stores and Neiman Marcus.

    And that does not include either Jewel Osco, Target, or Supervalu. In addition, all have been done in less than 9 months.
    So, is this ppl running around the nation going into all of these companies? Nope. Possibly a backdoor was found on the network equipment. But, I suspect that they have simply bought some ppl in the nations that they have outsourced to.

    --
    I prefer the "u" in honour as it seems to be missing these days.
    1. Re:For those thinking that these are insider jobs by Anonymous Coward · · Score: 0

      Target was hacked via their HVAC system.

    2. Re: For those thinking that these are insider jobs by Anonymous Coward · · Score: 0

      No, that was never proven. All that was known was that a key was missing. That does not mean that it was the point of entry.

  16. Wow by Anonymous Coward · · Score: 0

    I haven't heard of a SuperValu (sometimes seen as a Dan's or a King's) since the Midwest. Sure as shit never thought it'd be high profile enough to hack (security through obscurity).