Schnucks Will Post List Of Stores Hit By Cyberattack

A Schnucks spokesperson Tuesday could not specify exactly when, but said the grocer will identify a list of stores impacted by a cyberattack last month which left customers vulnerable to identity theft and fraudulent charges on their debit or credit cards along with a timeframe if when they were vulnerable.

The company has already announced that it had "found and contained" the problem, but hasn't said exactly how it happened. "We have never spoken to scope of this because we just don't know it," Lori Willis said by phone Tuesday morning.

The company released a weekend statement updating the situation, which you can read below.

"We announced on March 30 that we had found and contained the issue.  We strongly believe our containment measures were successful – we have not seen any indication of unauthorized access since those measures were implemented.

Please be assured that the security of our customers’ information is a top priority.  We have been working non-stop to contain this issue, protect customers whose cards may have been accessed, and implement security enhancements to prevent a reoccurrence.  Since we found and contained the issue, our forensic investigation has been focused on identifying each store that was affected and the dates during which cards could have been accessed at each store.  As soon as we complete that analysis in the coming days, we will provide that information to the credit card companies so that they can notify all of the banks who issued cards that may have been accessed.  Those banks will then be able to conduct additional monitoring of those cards or cancel and reissue new cards.  We will also post a list of those stores and the timeframes on our website.

We have been listening intently to our customers since this incident first began.  Our Consumer Affairs department has talked to more than 1,500 of our customers – providing as much accurate information as was available in addition to identifying steps that they could take to protect themselves from fraudulent charges.   We have also been working with state and federal law enforcement authorities, including the Missouri and Illinois Attorneys General, the Secret Service, and the FBI.

 There are two additional perceptions we want to address:

•       Schnucks did not know on March 15 that it had been the victim of a cyberattack.  Rather, Schnucks was informed by credit card companies on Friday, March 15 that banks had detected fraud on 12 different credit cards that had been used at Schnucks.  We immediately began an investigation, and engaged forensic investigators from Mandiant, the leading payment card industry forensic investigation firm.  When Mandiant found the first indication of a cyberattack on March 28, Schnucks’ IT department worked with Mandiant for the next 36 hours to contain the incident and block any further access to payment card data.

•       Schnucks continuously works to maintain its payment card processing environment in compliance with the Payment Card Industry Data Security Standards (PCI DSS).  Schnucks hires a third party security assessor every year to validate its compliance with PCI DSS.  At the most recent annual audit in November 2012, Schnucks was validated by its assessor as PCI DSS compliant.

 If you have any additional questions about this matter, please feel free to call 1-888-414-8022 (Monday – Friday 9 am - 5pm CT)."

Willis told Patch that the consumer affairs division has heard from an out of state customer in Iowa and that while nothing is being ruled out, the problem seems to be focused on the St. Louis area.

Experts have said that even though the issue was contained, customers should still be vigilant with their account statements, since the information which was compromised may still be in the process of being sold or otherwise passed on to other people who may still yet incur fraudulent charges