As Many As 2.4 Million Card Numbers Stolen in Breach at Regional Grocery Chain Schnuck’s
Written by Frank HayesWho says regional chains can’t compete with the big boys? On Sunday (April 14), the 100-store Schnuck Markets grocery chain revealed more details about the breach it reported in March, and the numbers are impressive: 79 stores breached, with as many as 2.4 million payment card numbers potentially stolen over a four-month period. That puts it in the same class as breaches in recent years at Barnes & Noble, Michaels, Aldi and Hancock Fabrics stores.
But unlike those attacks, Schnuck’s said its PINpads were not tampered with—the attack was apparently done entirely through malware implanted somehow on Schnuck’s payment-related systems. An even more troubling revelation: The breach activity seems to have begun on Dec. 1, less than a month after the chain’s QSA validated its systems as PCI DSS compliant.
Schnuck’s said point-of-sale data was compromised at stores in Missouri, Illinois, Indiana and Iowa, and card numbers and expiration dates (but no other personal information) were stolen between Dec. 1 and March 29, when the breach was identified and blocked by forensic experts hired by the St. Louis-based grocer. Schnuck’s first publicly reported the breach on March 30, just a day after the attack was blocked.
According to a timeline released by the chain, Schnuck’s was first notified by its payment processor on March 15 that 12 customers had experienced fraud after they used their cards at Schnuck’s stores. The company ruled out store employee fraud and physical point-of-sale tampering, then hired fraud-detection company Mandiant, which found malware on some of Schnuck’s systems on March 28 and blocked it within 36 hours.
What’s more worrisome about the sequence of events is probably the fact that breach activity began almost immediately after a successful PCI validation. What happened? Schnuck’s hasn’t explained exactly how the card data was stolen or where the malware that fed it to thieves was found. But if it wasn’t taken from PINpads, card data must have been stolen either from stored numbers (but a QSA had presumably just confirmed that card numbers weren’t being stored, right?) or while it was in transit to the card processor.
What might have happened? Worst-case scenario: A bad QSA intentionally planted the malware. Only slightly less-bad scenario: An incompetent QSA missed malware that was already in Schnuck’s systems, or missed the security hole through which thieves were able to slip the malware in.
Let’s assume that this wasn’t a case of a nightmare QSA. How could freshly validated systems suddenly show up with malware? As with a bad QSA, it might have been a bad employee in IT who intentionally planted the code—another nightmare scenario for every retailer.
But there’s a more innocent and painfully likely possibility: An employee at headquarters might have inadvertently introduced the malware, either by downloading something or plugging a thumb drive into a PC’s USB port.
Some experts have speculated that the thieves crafted their attack specifically for Schnuck’s systems, which is why it took the forensic investigators more than a week to track it down. Suppose that’s true. Thieves watching Schnuck’s might have spotted telltale signs of a PCI validation going on—an unexpected car in the parking lot, plus a little DMV lookup on the license plate, could have fingered a QSA the low-tech way.
Once that car was gone and the testing was presumably over—and everyone in IT was breathing a sigh of relief—thieves could have scattered a fistful of malware-primed USB thumb drives in that same parking lot. All it might have taken was one curious employee who plugged a thumb drive into a PC inside the firewall for the malware to get a foothold.
Will we ever know? We might—Schnuck’s was hit with two separate class-action lawsuits last week, both alleging that the chain failed to secure customer data and failed to promptly inform customers that their personal information was compromised. If either case goes to trial and a full explanation of what happened comes out in court, we might all get a little more insight into what appears to be the state of the cyberthief’s art.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
