If the possibility of being charged credit card swipe fees isn’t enough for you to give up paying with plastic, perhaps this news will. A Phoenix-based grocery chain says it was the victim of a sophisticated cyberattack – though the real victims are the hundreds of customers, if not more, whose credit card information was stolen. Oops.
The Pinal County Sheriff’s Department said it began receiving several reports of fraudulent credit and debit card transactions nearly three weeks ago. An investigation led them to Bashas’, a family-owned chain of 130 grocery stores located primarily in Arizona. Bashas’ says “highly sophisticated criminals” gained access to its systems in June or July of 2012. The suspects were able to skim customers’ credit and debit card information as the cards were used in its Bashas’, AJ’s and Food City stores. The Pinal County Sherrif’s Department says it’s received more than 400 complaints in its jurisdiction alone.
In a statement to customers, Bashas’ reassured them that “highly-sophisticated piece of malware that has never been seen before in the industry” has been “identified and contained” and that they’ve installed “additional security measures.”
But that’s small comfort for the customers whose payment information was stolen. Dozens of customers posted on Bashas’ Facebook page to say they were among those whose cards were compromised. Phoenix’s KNXV-TV reported that the city’s former mayor was among the victims. Phil Gordon said about $1,300 was charged to two of his credit cards. And even famed Maricopa County Sheriff Joe Arpaio, the self-proclaimed “toughest sheriff in America”, discovered that his card was used to ring up about $300 worth of products at a Chicago grocery store – and Arpaio says he hasn’t been to Chicago since 1957.
Security experts say it appears whoever hacked into Bashas’ systems sold the card data they obtained, which would explain how purchases were made all over the country and in some cases, even overseas.
The Pinal County Sheriff’s Office says all of the affected customers have been reimbursed for any fraudulent charges. They’re looking for information about three individuals pictured in a store security photo, who are considered “investigative leads.” For its part, Bashas’ is encouraging its customers to closely monitor their debit and credit card reports, and to report any unusual activity.
Other retailers have had similar experiences – BankInfoSecurity notes that Zaxby’s restaurants reported a point-of-sale breach in January, Barnes & Noble also did in October, as did Michaels craft stores in 2010. And Supermarket News says it happened to Hannaford supermarkets in 2008, and Stop & Shop in 2007.
So this is hardly the first time this has happened. And as cyber criminals get more sophisticated, it likely won’t be the last.