Supervalu data breach affects more than 1,000 stores nationwide

Supervalu Inc. warned Friday that hackers attacked computer systems containing customer information from 1,016 grocery and liquor stores around the country, including 60 stores in Minnesota.

Three Cub Foods stores in St. Paul were affected, while no breaches were reported in Minneapolis. Many of the other Minnesota stores were in suburbs like Arden Hills, Apple Valley, Bloomington, Brooklyn Park, Burnsville, Blaine, Maplewood and Plymouth.

There is no evidence as yet that actual cardholder information was stolen or misused, Supervalu said. Spokesman Jeff Swanson said the company decided to notify customers "out of an abundance of caution."

The exposure occurred between June 22 and July 17, the Eden Prairie-based company said.

It affected 180 Supervalu stores in Illinois, Minnesota, Missouri, North Carolina, North Dakota and Virginia. Those stores operate under the names of Cub, Farm Fresh, Hornbacher's, Shop 'n Save and Shoppers Food & Pharmacy. The company's Save-A-Lot stores were not breached.

Cyberthieves also attacked the data system of AB Acquisition LLC, the firm formed when Supervalu sold Albertsons and other groceries last year. Supervalu continues to provide technology services to the 836 stores — operating under the names Albertsons, ACME Markets, Jewel Osco, Shaw's and Star Markets — that were affected in 21 states.

Supervalu declined to say exactly when the breach was discovered. The company and federal authorities are investigating exactly how the breach occurred.

Michaels Stores, Neiman Marcus, P.F. Chang's and other stores and restaurant firms all experienced cyberattacks in recent months. Last week, the New York Times reported that a group of Russian hackers stole 1.2 billion user names and passwords from thousands of websites owned by retailers and Fortune 500 companies.

Jacob Ansari, a data forensics manager at Sikich LLP's 403 Labs in Brookfield, Wis., said consumers would ultimately bear little cost if the attack on Supervalu and AB Acquisition leads to fraudulent use of credit cards. Most issuers of credit cards hold the consumer liable for only $50 of fraudulent activity.

Instead, Ansari said, Supervalu and card issuers could wind up with the bigger bill.

"They will have whatever it costs to investigate the incident and the cost to reissue the affected cards. That could be $3 to $11 just to reissue each card," Ansari said. "The cost could be pretty big depending on how many cards were involved."

Ansari said the case stood out from other cyberattacks because it affected data systems across company lines.

Supervalu CEO Sam Duncan said in a statement that the "safety of our customers' personal information is a top priority for us. The intrusion was identified by our internal team, it was quickly contained and we have had no evidence of any misuse of any customer data. I regret any inconvenience that this may cause our customers."

The company said it would provide 12 months of free identity protection services through AllClear ID to customers who asked. A call center will be staffed beginning Monday to answer customers' questions. That number is (855) 731-6018. Until Monday, concerned customers are being directed to the company website, where a list of the affected stores is posted, Swanson said.

Cyberattacks also create other financial and public relations risks for companies. In Target's case, the breach last November and December reduced sales just before Christmas and, months later, contributed to the departure of several executives, including its top leader, Gregg Steinhafel.

Ansari said Target's case was unique because there was little time between the breach and when fraudulent activity began to appear with its customers' credit cards.

Normally, it takes months for fraud to appear because the stolen data is sold and resold among criminals. "By that time, a financial institution has usually flagged the transaction, canceled the card and issued a new one," Ansari said.