SuperValu reports data breach

[Brian Lutz]

http://online.wsj.com/articles/superval ... 1408108401

Customers who shopped at SuperValu store or Albertsons stores (for which Supervalu is still handling POS systems currently) between June 22nd and July 17th may have had their credit card data compromised. The issue is still under investigation, but the investigation suggests that malware may have been installed on POS terminals.

[storewanderer]

I am curious about the date range and curious what other retailers may have been impacted.

I use my cards very often and up until very recently never encountered any "surprises" from data breach related charges.

The good thing is the monitoring of the card in question caught the breach and did not approve the charge since it was way way out of my normal spending pattern in both amount and merchant type.

Almost every time I travel, at some point, one or two of my cards get shut off and I have to call and confirm charges. However, I have noticed this really happens in California. I cannot recall it happening on any trips to Oregon or Washington, though (ironically, I spent more in those places than in California, so they must base the flagging on the fraud rate in the region you are in and it seems California is full of problems).

But the point comes where so many transactions have to be flagged that consumers grow frustrated or worse yet are not confident in the security of these electronic payment systems. There seems to be one issue after another. Why now. What has changed? The card companies have made merchants spend tons of money to become "PCI Compliant" and there are more issues now than before. And the upcoming change to "chip and signature" - we will see.

[Alpha8472]

I mentioned this on another thread. I was shopping at another large retail chain and a technician from NCR was talking to employees telling them that the credit card readers needed to be bolted down. The technician held up the checkout line and said that she needed to bolt down the credit card reader immediately. As if it was urgent. It was a new style Verifone credit card reader. If a new credit card reader is vulnerable enough that someone can tamper with it if it is not bolted down, why aren't these credit card readers being replaced? Is there no security at all even on the latest in credit card reader technology?

Albertsons is no stranger to credit card reader hackings. They were hacked before when credit card readers were tampered with. The same old story all over again and the credit card reader company is Verifone. These are the ones that you see at CVS, Safeway, Vons, Kroger, Rite Aid, McDonald's, Whole Foods, Target, etc. The only place that I don't see these readers are at 7-Eleven. Are we all going to see our credit cards stolen eventually?

[storewanderer]

Many stores have readers that are not bolted down. In my area, Scolaris are not bolted down. Nor are all of the Rite Aids. Nor are Macys, Dillards, Sears...

[Super S]

Many stores have readers that are not bolted down. In my area, Scolaris are not bolted down. Nor are all of the Rite Aids. Nor are Macys, Dillards, Sears...

And some retailers are moving toward portable ipad based POS terminals. Kinda hard to bolt those down when there is a credit card reader in the ipad or like device. not sure if they do something different for debit cards. I have commented elsewhere about my opinion of these at Sears.

I am tempted to go back to writing checks or just pay cash for everything. My credit union just replaced my debit card after the Home Depot breach.

[Alpha8472]

Checks are dangerous to use. You bank account number is on the check! That means someone has access to your bank account. There could be thousands of dollars in your account and all that money could be stolen. People can make fake checks. All it takes is a laser printer and then people can crank out checks like crazy. People can make fake IDs and write checks all day long. With a check, someone can also sign up for electronic transfers and transfer money out of your bank account online.

You are not liable for fraudulent charges to your credit card. This means that as long as you report any suspicious charges, you won't be on the hook to pay. However, debit cards are a different story. Debit comes out of your checking account. If the money is stolen you are going to have to prove that it was stolen with a police report and other documentation. Debit is a hassle. If you want to be safe, either use cash or credit. Don't use your PIN for debit. If it is stolen, then your checking account can get drained.

The reason SuperValu and other retail chains started taking debit years ago, was that debit cards have lower fees than credit cards. Retail chains want you to use debit because debit saves retail chains money. This is how those credit card readers started showing up in stores. Before debit, cashiers had to swipe credit cards at the register. There were no PIN pads or credit card readers for the customer to type on. These customer facing PIN pads and credit card readers are the source of these breaches.

[Alpha8472]

My local Safeway store just switched over to a new cash register point of sale system. They posted cheaply made paper signs saying something about please bear with us as our registers are slow due to a totally new software system... Don't tell me they just switched over to the Supervalu system in anticipation of the merger!

I noticed that they had replaced the registers and the screens at the checkout. They no longer have the Safeway logo. Even the receipts look different. The cashiers were having trouble operating the new registers. They didn't even know to operate some of the functions on the register and were asking each other what to do. The credit card reader screen seemed to have been simplified. I simply swiped my credit card and it did not ask me to donate money to some sort of charity.

[Super S]

My local Safeway store just switched over to a new cash register point of sale system. They posted cheaply made paper signs saying something about please bear with us as our registers are slow due to a totally new software system... Don't tell me they just switched over to the Supervalu system in anticipation of the merger!

I noticed that they had replaced the registers and the screens at the checkout. They no longer have the Safeway logo. Even the receipts look different. The cashiers were having trouble operating the new registers. They didn't even know to operate some of the functions on the register and were asking each other what to do. The credit card reader screen seemed to have been simplified. I simply swiped my credit card and it did not ask me to donate money to some sort of charity.

That is interesting. Safeway (at least in the Pacific Northwest) has used IBM for years, however, there was a time that the different divisions used different systems. Albertsons also used a number of different setups for years, but seems to have mostly moved to NCR. They may be adapting one system to be used across the different store names, much like Kroger has done. But still, a new system is typically faster, not the other way around.

Target used IBM for many years, and I have noticed they are now using NCR.

IBM is still one of the most common systems in use. However, I know that some of their components can trace their design all the way back to the late 1980s.

[Alpha8472]

Supervalu reports a second security breach. This is the second time in 6 weeks. Apparently, even after a previous breach, the company is still vulnerable to further breaches.

Malware was installed on Supervalu's computer network. Enhanced security had not yet been implemented at some of the stores that Supervalu handles. With so many stores, Supervalu was unable to secure all of their stores to prevent further breaches. The breach is believed to have occurred between August 27 and September 21 at some Cub Foods stores.

These breaches are becoming common. It could be malware or it could be tampered credit card readers. Hackers are working around the clock to come up with new ways of stealing credit card information.

[storewanderer]

The new Safeway systems are still IBM. It is the same software and hardware as Whole Foods uses, also Winn Dixie uses this. It just is a full touchscreen keyboard. It is less efficient than the older keyboards but these companies never learn.

Some Kroger divisions have these too. I believe the Colorado Stores. I don't think they moved them outside Colorado. Probably after determining they cut efficiency.

The former Supervalu ABS Stores are on NCR. But the LLC Stores are on the old legacy ABS system from back when the company was still all one, so those are on IBM.

On another note about ABS, the United-TX Stores have started to carry Supervalu private labels...