Another day, another security breach. This time, the victim is Supervalu, the owner of Cub Foods, Hornbacher’s, Farm Fresh, Shop ‘N Save and Shoppers Food stores. Also affected are former Supervalu stores that still use their old owner’s IT services – Jewel-Osco, ACME, Shaw’s, Star Market and Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah. Those supermarket chains were acquired from Supervalu last year.
Potentially affected are shoppers who used debit or credit cards at any of those stores from June 22 to July 17. In a statement released overnight, Supervalu says it “has not determined that any such cardholder data was in fact stolen by the intruder, and it has no evidence of any misuse of any such data, but is making this announcement out of an abundance of caution.”
And also because the Wall Street Journal beat them to it.
In what’s become a pattern in a rash of recent data breaches, an outsider let the cat out of the bag before the affected company was quite ready to announce it. In a story published on Thursday, the Wall Street Journal cited unnamed sources as saying Supervalu was “investigating a potential data breach that might have affected more than 1,000 stores.”
“A spokesman for Supervalu didn’t have any immediate comment,” the report noted.
Official comment swiftly followed, in the form of a statement released early Friday (though it was dated Thursday) in which the company confirmed that it “experienced a criminal intrusion into the portion of its computer network that processes payment card transactions.”
But the very fact that the newspaper was first to report it, is potentially troublesome. Stores that have suffered such data breaches can find themselves in something of a Catch 22 – they could jeopardize the investigation if they tell all to the public too early, but then they risk the public’s wrath if they wait too long to reveal what they know.
Just ask Target.
The big-box chain announced in December that as many as 40 million debit and credit cards may have been compromised during a two-and-a-half-week period. Target came under instense criticism, and faced numerous lawsuits, for not announcing the breach until after a security blogger reported on it. Earlier that year, St. Louis-based grocery chain Schnucks suffered its own data breach, and many customers complained that the store effectively allowed their information to be stolen, by waiting until the situation was contained before publicly acknowledging it.
For its part, Supervalu says the breach has been contained, and it’s working with law enforcement to investigate the extent of the intrusion. It’s also offering a year’s worth of free credit monitoring to any customer who believes they may have been affected. “I regret any inconvenience that this may cause our customers but want to assure them that it is safe to shop in our stores,” Supervalu CEO Sam Duncan said.
That’s likely to be small comfort to some. In Target’s case, it took an unprecedented series of sales and discounts to lure disaffected shoppers back into its stores. And it still hasn’t entirely recovered from the fallout.
So whether Supervalu’s response is enough, remains to be seen. If the public reaction turns out to be anything like it was in Target and Schnucks’ cases, you might want to look for some big sales at Supervalu stores very soon.
Image sources: flickr/Sean MacEntee, Supervalu