Supervalu Says Hackers May Have Stolen U.S. Customers’ Data

Aug 15, 2014 4:28 pm ET

(Updates share price in fifth paragraph.)

Aug. 15 (Bloomberg) -- Supervalu Inc., a U.S. supermarket chain concentrated in the Midwest, suffered a data breach that exposed customers’ payment-card information, marking the latest hacker attack on the retail industry.

The data may have been stolen from cards used in Supervalu stores from June 22 to July 17 following a network intrusion, the Eden Prairie, Minnesota-based company said in a statement today. Payment companies have been notified and law-enforcement agencies are investigating the breach, which affected 180 Supervalu markets and liquor stores, it said.

Supervalu joins a lengthening list of companies whose systems have been compromised. Minneapolis-based retailer Target Corp. was victim of a breach last year that allowed hackers to gain access to payment data for 40 million customers’ cards. Hackers in Russia have amassed 1.2 billion sets of looted user names and passwords, the largest known cache of stolen personal information, Hold Security LLC said this month.

“We have had no evidence of any misuse of any customer data,” Supervalu Chief Executive Officer Sam Duncan said in today’s statement. “I regret any inconvenience that this may cause our customers, but want to assure them that it is safe to shop in our stores.”

Supervalu’s stock dropped 2.9 percent to $9.31 at the close in New York. Before today, the shares had climbed 32 percent this year.

Time Lag

The fact that the Supervalu breach occurred a month ago raises questions about why it took so long to hear about it, said Michael Sutton, vice president of security research at Zscaler Inc.

“If someone’s data was stolen, they should know about that as quickly as possible,” Sutton said. “Supervalu indicated that they uncovered the breach. If that’s the case, then when, and why has this taken so long to get out?”

Cybercrime costs as much as $575 billion a year and remains a growth industry with attacks on banks, retailers and energy companies that will worsen, according to a June report by the Washington-based Center for Strategic and International Studies and sponsored by network security company McAfee Inc.

Such breaches threaten to drive customers away and can also be dangerous for company executives.

Target CEO

Target’s board ousted CEO Gregg Steinhafel in the wake of the data theft last year. The retailer’s reputation and store visitor numbers were hurt after the attack became public in December, while its U.S. comparable-store sales fell 2.5 percent in the fourth quarter. Target said earlier this year that it would spend $100 million to accelerate the rollout of cards with better security technology.

Luxury retailer Neiman Marcus Group Ltd. and LivingSocial Inc., the daily coupon website based in Washington, were also hit by cyber-attacks in 2013.

While some of the highest-profile victims of hacking have been U.S. companies, the problem is global. Orange SA, France’s largest phone company, said in May that 1.3 million people had personal information stolen because of a breach in a technical platform, the second attack on the company this year.

Supervalu is treading carefully in responding to its breach, Sutton said.

“They are just moving extremely cautiously and only saying what they have to say,” he said. “I have no doubt that more will come out.”