(Be sure to read this update: “Schnucks Repairs Security Breach – But For Some, the Damage is Done”)
Another supermarket chain has been hit with an apparent credit card hack, as more shoppers come forward to complain their account information has been stolen. St. Louis-based Schnucks says it’s investigating, and police are recommending that its customers put away their plastic for now, and pay cash instead.
Reports of compromised debit and credit cards first started trickling out a couple of weeks ago. Last week, Schnucks issued a statement, saying it “became aware on March 15 that some customers had noticed unauthorized charges on their card statements for credit cards they used at Schnucks. We want to reassure our customers that we are diligently investigating this matter.”
Since then, reports to police are starting to pile up, and concerned customers are looking for answers. Asked again for comment Wednesday by the St. Louis Post-Dispatch, Schnucks reiterated its statement from last week. Meanwhile, the store’s Facebook page is filled with comments and questions about the credit card fraud issue, but Schnucks is responding with cheerful posts about recipes and in-store deals.
Until the investigation is complete, police note there’s simply not much more to say. That’s small comfort to those who’ve been hacked, and those who might worry they’ll be next. “I would recommend that people pay with cash or check,” a police detective tells the Post-Dispatch, “until I hear from Schnucks that, yes, there was a problem, and yes, it’s been fixed.”
Such credit card breaches are not uncommon. It happened to the Phoenix-based grocery chain Bashas’ earlier this year (read: “Another Reason to Consider Paying Cash”), and to Aldi in 2010. In those cases, though, by the time the public was made aware of the problem, the stores assured customers they had already solved it. “We recently located and removed a highly-sophisticated piece of malware,” Bashas’ said last month, adding that “Bashas’ may very well be one of the safest places you can use your credit card right now.” In Aldi’s case, it assured customers that “we conducted a thorough review of all stores nationwide and removed terminals we believe may have been affected.”
Schnucks is offering no such reassurances at this point, fueling fears that its systems may still be compromised. Though, investigators say, it’s too soon to tell whether the problem is within Schnucks’ own systems, or with a third-party vendor that processes the transactions.
As in the case of Bashas’, many of the fraudulent charges traced back to Schnucks were easy to spot, since they were made far from home. Many customers reported their banks alerted them to big charges being made in states all over the country. The credit card information appears to have been taken from people who shopped at Schnucks in January and February. Analysts say that fits the pattern, as many thieves will hold onto the information for at least a month or two before using, or more likely, selling it.
In Bashas’ case, local banks reported having to replace hundreds of credit and debit cards. And customers who were hit, are still being advised to monitor their accounts for any unusual activity. Federal authorities are now involved in that investigation. “Unfortunately,” Bashas’ concluded, “we’ve learned that in today’s environment, no one is immune from cyber-attacks.”
(Be sure to read this update: “Schnucks Repairs Security Breach – But For Some, the Damage is Done”)