UPDATE 2-U.S. supermarket chain Supervalu investigating potential data breach

Fri Aug 15, 2014 1:33am EDT

(Changes source, adds CEO comment and details from statement)

Aug 15 (Reuters) - Supervalu Inc said it is investigating a potential data breach that could have affected some of its retail food stores, including some of its associated stand-alone liquor stores.

Supervalu said the intrusion may have resulted in the theft of account numbers and other numerical information from payment cards used at some point-of-sale systems at the company's owned and franchised stores.

The data breach appears to have taken place during the period of June 22 through July 17, said the retailer.

"The intrusion was identified by our internal team, it was quickly contained, and we have had no evidence of any misuse of any customer data," Supervalu CEO, Sam Duncan, said in a statement early on Friday.

Supervalu, which had 3,763 outlets as of April, said customers can safely use their credit and debit cards in its stores.

The company also said it has notified federal law enforcement authorities and is cooperating in their efforts to investigate this intrusion. It has also notified the major payment card brands.

Companies in the United States, particularly retailers, have been targeted by hackers for customer data on payment cards.

U.S. retailer Target Corp is struggling to win back customers after it suffered a huge data breach last year that resulted in the theft of 40 million payment card numbers and 70 million other pieces of customer data such as email addresses and phone numbers.

Michaels Stores Inc, the biggest U.S. arts and crafts retailer, said in May it also suffered a security breach that may have affected about 2.6 million payment cards.

Reuters reported in January that smaller breaches on at least three other well-known retailers in the country took place and were conducted using similar techniques as the one on Target.

Retailers are often reluctant to report breaches out of concern it could hurt their businesses. Target only acknowledged its 2013 attack after security blogger Brian Krebs reported the breach, prompting inquiries from journalists and investors.

Most states have laws that require companies to contact customers when certain personal information is compromised. In many cases the task of notification falls on the credit card issuer.

Merchants are required to report breaches of personal information including social security numbers. (Reporting by Supriya Kurane and Ramkumar Iyer in Bangalore; Editing by Lisa Shumaker and Ken Wills)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (1)
Ann8lise wrote:
If the breach had been “quickly contained” it would not have gotten into the payment network in the first place. Almost all breaches of a payment network start in some other Internet facing network partition. The breach started where the breach occurred first, and then propagated to the payment network. If the 25 days it took to contain the breach started when the payment network was breached (which is probably the case) then you can easily assume the breach started earlier.

The basic points we keep seeing with all of these breaches are:
1. Payment network breaches starts in other network partitions and laterally propagate to the payment network.
2. Once malware is on a POS, vertical propagation to other POS systems unabated over MPLS and VPN connections.
3. All of the breached companies had an inadequate containment architecture to halt a breach to the breached segment alone.
4. The complexity of the existing networks rendered most logging and malware detection tools ineffective, not because they did not work, but because the expanse and complexity of the network is overwhelming the IT staffs.
5. The perimeter of the network is undefinable and the attack surface is un-defendable.

What is even more surprising is that corporate IT staff are still investing in the belief that more layers of security will solve the problem. As the old saying goes, continuing to do the same thing over and over again hoping it will work is insanity. Especially when the CIOs livelihood and company’s survival is potentially at stake.

Eric Schmidt, Vice Chairman of Google, is quoted as saying that the current enterprise network architecture is broken and he attributes the tablet as the straw that broke the camels back. The rise of the Internet and Internet facing applications have eroded the security of a 50 year old architecture. Mr. Schmidt predicts that enterprises will have to rip out their current network architectures and replace them with application specific architectures. Did you get that? The Vice Chairman of one of the worlds most visionary companies has clearly stated that the status quo will not work. More layers will not work. More of the same will not work. He also gives a clear recommendation – application-specific networks.

Why? Because application-specific networks segment each application into their own dedicated virtual logical network that does not share routing elements with other networks. In other words, they provide end-to-end network-wide segmentation that enables a containment based architecture that stops breaches to the breached segment. Think about that for a moment…
Wait for it…
Wait for it…

Yes, had application-specific networks been used at Target and the 600 plus other breached companies in 2013, the breach would have never reached the POS system in the first place. Each of those companies may still have been breached, but they would have prevented the lateral and vertical propagation that has ultimately damaged their businesses.

The writing is on the wall. Smarter people than I have pointed out a better approach. The technology is available. Companies like Google, Shell, Little Ceasers and ExxonMobil have already made the switch to application-specific networks. The clock is ticking. Why are you still investing in what is not working?

Aug 15, 2014 11:21am EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.