The chain first publicly acknowledged the breach on March 30, but they received the first hint that there might have been one on March 15, when they were informed by credit card companies that banks had detected fraud on 12 different credit cards that had been used at the chain.
Schnucks employed forensic investigators from Mandiant to work with their own IT department to contain the incident, block further access to its systems and networks, and to investigate how it came about.
The investigators discovered that the attackers had access to the information since December 2012 to March 29, 2013, but that only card numbers and the cards’ expiration date was accessed. Cardholders’ names, addresses or any other identifying information has been kept safe.
Schnucks CEO Scott Schnuck apologized to the affected customers and vowed to earn their trust again.
“Over the years, technology has helped us deliver superior customer service, but it also introduces risks that we have actively worked to manage through compliance audits, encryption technology and various other security measures,” he stated.
“We’ve worked hard to provide a secure transaction environment for our customers and, today I make a personal pledge to you that we will be relentless in maintaining the security of our payment processing system.”
The company has involved the US Secret Service and the FBI in the investigation, and is also working with its payment processor to flag every affected card number and deliver a complete list to the appropriate credit card company.
They are also warning users about the potential scams with which they could be targeted.
“We are aware of reports that scammers have attempted to take advantage of this issue by contacting people who may shop at Schnucks and requesting personal information (such as Social Security numbers or credit card numbers) under the guise of investigating this incident. Schnucks will never call, e-mail, or text you to obtain such sensitive personal information, nor do we believe that any financial institution would either. Please immediately report any such attempts to your local police department,” they stated, adding that users should monitor their credit card reports for potential fraudulent charges.