As Many As 2.4 Million Card Numbers Stolen in Breach at Regional Grocery Chain Schnuck’s

Written by Frank Hayes
April 17th, 2013

Who says regional chains can’t compete with the big boys? On Sunday (April 14), the 100-store Schnuck Markets grocery chain revealed more details about the breach it reported in March, and the numbers are impressive: 79 stores breached, with as many as 2.4 million payment card numbers potentially stolen over a four-month period. That puts it in the same class as breaches in recent years at Barnes & Noble, Michaels, Aldi and Hancock Fabrics stores.

But unlike those attacks, Schnuck’s said its PINpads were not tampered with—the attack was apparently done entirely through malware implanted somehow on Schnuck’s payment-related systems. An even more troubling revelation: The breach activity seems to have begun on Dec. 1, less than a month after the chain’s QSA validated its systems as PCI DSS compliant.

Schnuck’s said point-of-sale data was compromised at stores in Missouri, Illinois, Indiana and Iowa, and card numbers and expiration dates (but no other personal information) were stolen between Dec. 1 and March 29, when the breach was identified and blocked by forensic experts hired by the St. Louis-based grocer. Schnuck’s first publicly reported the breach on March 30, just a day after the attack was blocked.

According to a timeline released by the chain, Schnuck’s was first notified by its payment processor on March 15 that 12 customers had experienced fraud after they used their cards at Schnuck’s stores. The company ruled out store employee fraud and physical point-of-sale tampering, then hired fraud-detection company Mandiant, which found malware on some of Schnuck’s systems on March 28 and blocked it within 36 hours.

What’s more worrisome about the sequence of events is probably the fact that breach activity began almost immediately after a successful PCI validation. What happened? Schnuck’s hasn’t explained exactly how the card data was stolen or where the malware that fed it to thieves was found. But if it wasn’t taken from PINpads, card data must have been stolen either from stored numbers (but a QSA had presumably just confirmed that card numbers weren’t being stored, right?) or while it was in transit to the card processor.

What might have happened? Worst-case scenario: A bad QSA intentionally planted the malware. Only slightly less-bad scenario: An incompetent QSA missed malware that was already in Schnuck’s systems, or missed the security hole through which thieves were able to slip the malware in.

Let’s assume that this wasn’t a case of a nightmare QSA. How could freshly validated systems suddenly show up with malware? As with a bad QSA, it might have been a bad employee in IT who intentionally planted the code—another nightmare scenario for every retailer.

But there’s a more innocent and painfully likely possibility: An employee at headquarters might have inadvertently introduced the malware, either by downloading something or plugging a thumb drive into a PC’s USB port.

Some experts have speculated that the thieves crafted their attack specifically for Schnuck’s systems, which is why it took the forensic investigators more than a week to track it down. Suppose that’s true. Thieves watching Schnuck’s might have spotted telltale signs of a PCI validation going on—an unexpected car in the parking lot, plus a little DMV lookup on the license plate, could have fingered a QSA the low-tech way.

Once that car was gone and the testing was presumably over—and everyone in IT was breathing a sigh of relief—thieves could have scattered a fistful of malware-primed USB thumb drives in that same parking lot. All it might have taken was one curious employee who plugged a thumb drive into a PC inside the firewall for the malware to get a foothold.

Will we ever know? We might—Schnuck’s was hit with two separate class-action lawsuits last week, both alleging that the chain failed to secure customer data and failed to promptly inform customers that their personal information was compromised. If either case goes to trial and a full explanation of what happened comes out in court, we might all get a little more insight into what appears to be the state of the cyberthief’s art.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.