Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Supervalu Becomes Another Hacking Victim

Soulskill posted about a month ago | from the another-day-another-breach dept.

Security 27

plover sends this news about another possible exposure of customer data: Supervalu is the latest retailer to experience a data breach, announcing today that cybercriminals had accessed payment card transactions at some of its stores. The Minneapolis-based company said it had "experienced a criminal intrusion" into the portion of its computer network that processes payment card transactions for some of its stores. There was no confirmation that any cardholder data was in fact stolen and no evidence the data was misused, according to the company. The event occurred between June 22 and July 17, 2014 at 180 Supervalu stores and stand-alone liquor stores. Affected banners include Cub Foods, Farm Fresh, Hornbacher's, Shop 'n Save and Shoppers Food & Pharmacy.

cancel ×

27 comments

Sorry! There are no comments related to the filter you selected.

Albertsons too (1)

Anonymous Coward | about a month ago | (#47681511)

Albertsons too

http://www.chicagotribune.com/business/breaking/chi-report-jewel-osco-hacked-20140815-story.html

Re:Albertsons too (-1)

Anonymous Coward | about a month ago | (#47681667)

I live in Alaska. I am homeless. The biggest problem if you are homeless in Alaska is not being hacked, it's defecating. Wild bears are everywhere. Dunno HOW many times I've been dumping my ass in the woods, and alla sudden, you hear a noise, and it's a Wild Bear right next to you with the same idea. It can be unsettling to say the least. Once, I was crapping in a forest, reading the paper, and a Wild Bear came right up beside me, crouched down real low, and appeared to be looking at my paper, like he was tryna read it. I didn't even wipe. Got up real slow, left him my paper, and he seemed cool with that. Got that idea from an old book I found in the bathroom of a truck stop. Saved my bacon, I'll tell you that.

No Surpris (2)

TechyImmigrant (175943) | about a month ago | (#47681549)

They can't even spell their own name.

Why do they have this data in the first place? (0)

Anonymous Coward | about a month ago | (#47681573)

Aren't you supposed to delete this stuff as soon as you transmit it and receive payment confirmation?

Re:Why do they have this data in the first place? (3, Informative)

plover (150551) | about a month ago | (#47682049)

There are typically two phases to processing credit. In the first phase, called authorization, the terminal sends the request to the bank via their processor and requests authorization: hey, bank, will you approve $100? The bank sends back a 'yes' which is returned to the terminal, but no money changes hands at this time. The processor saves up the day's batch of authorization requests.

In the second phase, called settlement, the processor sends the batch to the bank, either later that night, or every few hours, or whenever. The bank then transfers the funds for every authorized transaction in the batch.

This is different from debit, where the funds are transferred in a single step.

Re:Why do they have this data in the first place? (1)

wkk2 (808881) | about a month ago | (#47685141)

Do chip and pin cards even work in the US? I've tried at Home Depot, Staples, Walmart, USPS, and even a small haircut place and the cards don't work. One place even yelled at me for trying to use the chip slot.

Re:Why do they have this data in the first place? (1)

plover (150551) | about a month ago | (#47686655)

Chip and PIN cards don't work at most U.S. retailers today, but as of October 2015 the Payment Card Industry has scheduled a change to the contracts to in what is being called the "liability shift". It means that whoever has the least security in the payment chain will be held liable for non-payment or fraud for the charges incurred. So if Home Depot doesn't accept a chip card, and your bank's card has a chip on it, then Home Depot will be liable because their system is the least secure. Or if Home Depot's systems are able to accept the chip cards, but your bank's card doesn't have a chip, then your bank will be liable. This penalty is a huge financial incentive for both retailers and banks to upgrade the security of their systems to fully support Chip and PIN by that date so they don't get left holding the bag.

Once Chip and PIN systems are deployed to most places, they will begin requiring the removal of mag stripes. That's when the final pieces of security will kick in, and account number theft will be essentially eliminated.

Re:Why do they have this data in the first place? (0)

Anonymous Coward | about a month ago | (#47683069)

> Aren't you supposed to delete this stuff as soon as you transmit it and receive payment confirmation?

One of the common "modern" hacks is to capture the data in transit. Like infecting the card-swipe machine to scrape the data out of RAM. So even when it isn't "stored" anywhere permanently the hackers still get copies. That was one of the techniques used against Target. [spideroak.com]

In other news (4, Funny)

TechyImmigrant (175943) | about a month ago | (#47681575)

SuperValu are the the only ones. Targe, WallMar and Whole Food were also hacked.

Re:In other news (0)

Anonymous Coward | about a month ago | (#47681605)

l2english noob.

Re:In other news (1)

TechyImmigrant (175943) | about a month ago | (#47681807)

Oh noes

Re:In other news (1)

uCallHimDrJ0NES (2546640) | about a month ago | (#47681823)

That's not how you spell Hole Foods.

Re:In other news (1)

Loopy (41728) | about a month ago | (#47682165)

If I had them, all my mod points are belong to you.

Hannaford (0)

Anonymous Coward | about a month ago | (#47681587)

For those of you on the east coast, this is also the parent company of Hannaford.

Between June 22 and July 17? (0)

Anonymous Coward | about a month ago | (#47681597)

So it went on for a month before anyone notice?

Fun fact (0)

Anonymous Coward | about a month ago | (#47681635)

Supervalu means incredible pain in Estonian.

I protest (1)

Mister Liberty (769145) | about a month ago | (#47681821)

To the misuse of the word 'hacking'.

vegetable section: IT offices (1)

swschrad (312009) | about a month ago | (#47682027)

fact is, it's a pretty soft underbelly, this electronic commerce thing. it's the system that's rotten, and the top bananas are way green in this stuff. going to be a lot of meat robots canned before electronic payments make the cut.

Bah (0)

Anonymous Coward | about a month ago | (#47682115)

True hackers wouldn't need to physically break in.

Exactly. (1)

WindBourne (631190) | about a month ago | (#47683213)

It is cheaper and faster to simply buy an insider.

First Target, now this? (1)

miller701 (525024) | about a month ago | (#47683107)

What's going on with picking' on our nice Minnesota retailers? I guess Best Buy is next!

New Disease Discovered (0)

Anonymous Coward | about a month ago | (#47683147)

It has no known symptoms. Said to afflict only those in New Jersey.

What do all of these companies have in common? (1)

WindBourne (631190) | about a month ago | (#47683203)

1) They run Windows.
2) they have outsourced to India esp. the production.
3) nearly all of these companies do NOT operate in India, EXCEPT for hiring coders/admin.

You have systems admin that are paid less than $8,000 / year. If you are Russia or China, would you spend large sums of money to break into a store to get access to a production system, all while having your insider possibly getting caught, OR, would you spend just 50K, approach an admin that is doing work on production and all s?he has to do, is release a worm quietly on the production, that will NOT hurt other employees?
If we westerners, esp American MBAs, are dumb enough to oursource this work like this, we deserve what we are getting.

For those thinking that these are insider jobs (2)

WindBourne (631190) | about a month ago | (#47683225)

BTW, for those that think that these were companies that were cracked by ppl walking into the stores, here you go
www.chicagotribune.com/business/breaking/chi-report-jewel-osco-hacked-20140815-story.html

The list of retailers that have been hit by breaches just this year includes Recreational Equipment Inc., CVS/Caremark, Goodwill Industries International Inc., Ebay, Aaron Brothers, Sally Beauty Supply, Home Depot, Sears, Michaels Stores and Neiman Marcus.

And that does not include either Jewel Osco, Target, or Supervalu. In addition, all have been done in less than 9 months.
So, is this ppl running around the nation going into all of these companies? Nope. Possibly a backdoor was found on the network equipment. But, I suspect that they have simply bought some ppl in the nations that they have outsourced to.

Re:For those thinking that these are insider jobs (0)

Anonymous Coward | about a month ago | (#47686117)

Target was hacked via their HVAC system. [krebsonsecurity.com]

Re: For those thinking that these are insider jobs (0)

Anonymous Coward | about a month ago | (#47702841)

No, that was never proven. All that was known was that a key was missing. That does not mean that it was the point of entry.

Wow (0)

Anonymous Coward | about a month ago | (#47684489)

I haven't heard of a SuperValu (sometimes seen as a Dan's or a King's) since the Midwest. Sure as shit never thought it'd be high profile enough to hack (security through obscurity).

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>