The Schnucks supermarket chain struggled for two weeks to find the source of a breach after being alerted to a possible leak of credit card info by its card processing company. During that time, Schnucks apparently continued exposing the debit and credit card data of people who shopped at its stores.
Details about the breach were released Monday after an investigation into what happened.
Schnucks is a St. Louis-based supermarket chain that owns 100 stores and 96 in-store pharmacies in a five-stage region in the Midwest. On March 30, the company announced that it had found and contained a data breach that had potentially exposed credit and debit card data on an unknown number of its customers.
In an update released today, Schnucks said its investigation show that data on about 2.4 million credit and debit cards used by customers at 79 stores may have been exposed. According to the company, only card numbers and expiration dates appear to have been exposed, not the cardholder's name, address or identifying information.
A detailed timeline of events posted on its site shows that Schnucks first learned of a possible intrusion on March 14. That's when the chain's card processor alerted officials about fraud on a handful of cards that had been used recently. It launched an internal investigation and quickly ruled out insider theft and point-of-sale devices as potential causes.
On March 19, the company hired security firm Mandiant to investigate further amid reports of more fraud. But even with the help of a professional security services firm, Schnucks was not able to isolate and shut down the breach until March 28. It took another 36 hours to contain the breach and bolster security to prevent a reoccurrence.
In its update today, Schnucks warned that the breach affected cards used by customers between December 2012 and March 29, 2013. That time frame suggests that the company was continuing to leak credit and debit card information between the time it was first alerted of a problem and the time it actually fixed it.
Schnucks' experience highlights the growing sophistication of such attacks and the challenges companies face in dealing with them, said Avivah Litan, an analyst with Gartner in Stamford.
"You'd think they would have figured out what to shut off or at least how to control their traffic" to prevent further data leaks, Litan said. The fact that the company was unable to locate the source of the breach for so long shows how good attackers are getting at concealing their tracks, she said.
Increasingly, attackers have been resorting to techniques like hiding stolen data inside legitimate files and encrypting data to evade detection. "They cloak their malware or hide it within seemingly innocuous files so that it's very difficult to detect," she said.
Sign up for CIO Asia eNewsletters.