Supervalu, Albertsons Hit With Second PoS Attack

Written by

Supermarket chain Supervalu and partner Albertsons have been attacked again—this time with a different malware variant than the breach it disclosed in August.

Supervalu had previously been the victim of a criminal intrusion that may have affected 1,000 stores across the US. That included about 200 of its grocery and liquor stores (under the brands Cub Foods, Hornbacher's and Farm Fresh), along with those to which it provides technology services—namely Albertsons, Acme Markets, Jewel-Osco, Shaw's and Star Markets in about two dozen states. For now, the company still has not determined whether any cardholder data was, in fact, stolen by the intruder during that incident.

Now, in what it believes to have been late August or early September 2014, an intruder installed different malware into the portion of its computer network that processes payment card transactions at some of its Shop ’n Save, Shoppers Food & Pharmacy and Cub Foods-owned and franchised stores, including some of its associated stand-alone liquor stores.

The company thinks that in the wake of a beefed up security posture stemming from the first incident, the malware did not succeed in capturing data from any payment cards used at any of its own stores other than at some checkout lanes at four Cub Foods franchised stores in Hastings, Shakopee, Roseville (Har Mar) and White Bear Lake, Minn.

“We care greatly about our customers, and the safety of their personal information will continue to be a top priority for us,” said president and CEO Sam Duncan, in an official statement on the website. “We’ve taken measures to install enhanced protective technology that we believe significantly limited the ability of this malware to capture payment card data and we will continue to make these investments going forward.”

He also said that some stores owned and operated by Albertsons experienced a related criminal intrusion, also in what is believed to have been late August or early September 2014. For its part, Albertsons has yet to make a statement on the latest event.

Security experts say more holistic visibility is an ongoing requirement. “As breach reports continue to grow, and reports of repeated attacks on the same targets also become more common, enterprises' approach to defense must expand from the more typical reactive monitoring and alerting to also include automated cyber-attack prevention by analyzing the entire end-to-end network, the security architecture and auditing possible access paths to make sure all controls are operating as intended and will survive network changes,” said Steve Hultquist, chief evangelist at RedSeal Networks, in an email. “This is a complex problem that requires automation that simplifies and provides visual mapping of the complete environment.”

Marc Malizia, CTO of RKON Technologies, meanwhile offered some advice to Infosecurity on what Supervalu and other company execs should consider when recovering from a security breach.

“The first step should always be determining what server or servers have been compromised; once located, a disk image of those servers should be made in order to preserve their state,” he said. “To protect chain of custody in the event of a law suit, these images should be read-only and secured.”

Also, a containment strategy should be put in place to ensure the compromised server cannot infect other servers or devices. And, in order to determine what malware or modifications were made, IT staff should check log files from the compromised servers, firewalls, switches and other security devices. This will also help discover what traffic and/or files were transmitted to the compromised servers. And finally, if the servers contain data which fall under a compliance regulation, companies must be sure to contact and report to appropriate bodies.

In Supervalu’s case, it said that it is working with law enforcement and has notified its payment processors.

What’s hot on Infosecurity Magazine?