TMCnet News

Jewel-Osco stores hit again by data hack [Chicago Tribune]
[September 30, 2014]

Jewel-Osco stores hit again by data hack [Chicago Tribune]


(Chicago Tribune (IL) Via Acquire Media NewsEdge) Sept. 30--All Jewel-Osco stores in Illinois, Indiana and Iowa were among several U.S. supermarkets affected by another recent card fraud incident, the chain's parent company said.

The latest attack appears to have occurred in late August or early September, AB Acquisition said. The attack also hit some stores operated by Jewel-Osco's former owner, Supervalu, which continues to provide IT services to Jewel-Osco and other chains it no longer owns.



Jewel-Osco's parent company could not say on Tuesday how many people were affected by the incident, which was disclosed Monday. The company said it believed the malware issue affected all Jewel-Osco stores.

The latest attack appears to involve malware different than was used in an incident announced in mid-August. Investigations into both incidents continue, AB Acquisition said.


"What was particularly interesting in this is that the breach came out after they had already notified that there was an initial breach," said D.J. Vogel, a partner, security and compliance practice leader at Sikich, a professional services firm based in Naperville. "That would suggest that the breach may not have been initially contained." The new malware may have captured account numbers, expiration dates, other numerical information and cardholders' name, the companies said. But sensitive information such as Social Security numbers and birthdates were not captured, they added.

Several major chains, including Home Depot, Neiman Marcus and Target, have been hit by data breaches in recent months. Last week, Champaign-based sandwich chain Jimmy John's said it learned of a data breach involving credit and debit card data at 216 of its locations, including four in Chicago and more than a dozen in the suburbs.

"The same types of attacks that were happening years ago are still causing the same problems," said Vogel, who noted that consumers generally are not responsible for fraudulent credit card charges.

Jewel-Osco said it has not determined that any cardholder data was stolen, and that it had no evidence that any such data was misused. The company said it believed the issue was contained and that it was confident that shoppers could safely use credit and debit cards in its stores.

Anyone who used a credit or debit card at the company's stores from June 22 to July 17 or from Aug. 27 to Sept. 21 is being offered 12 months of free consumer identity protection services from AllClear ID. (Customers can call 855-865-4449.) Credit monitoring is not being offered. Jewel-Osco is telling customers to monitor their accounts and contact the bank that issued their cards if they see suspicious activity.

Along with Jewel-Osco, other stores impacted in the latest attack were Albertsons in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah; ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey; and Shaw's and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island, AB Acquisition said.

Supervalu said it believes upgrades to its protective technology limited the latest malware's ability to capture card data. Supervalu said it believes the latest malware may have gathered data from cards used at some checkout lanes at four franchised Cub Foods stores in Minnesota, where it had not completed technology enhancements.

[email protected] Twitter @jessicawohl ___ (c)2014 the Chicago Tribune Visit the Chicago Tribune at www.chicagotribune.com Distributed by MCT Information Services

[ Back To TMCnet.com's Homepage ]