SuperValu has confirmed that is has, indeed, suffered a data breach. The supermarket company stated that what it calls a "criminal intrusion into the portion of its computer network that processes payment card transactions for some of its retail food stores, including some of its associated stand-alone liquor stores" may have resulted in "the theft of account numbers, and in some cases also the expiration date, other numerical information and/or the cardholder’s name, from payment cards used at some point of sale systems at some of the Company’s owned and franchised stores."
If you thought that was a bit of a mouthful as far as breach disclosures go, you probably wouldn't want to read the paragraph that follows and which states that the company "has not determined that any such cardholder data was in fact stolen by the intruder" and that it has no evidence to suggest the same. It goes on to say it's making the announcement "out of an abundance of caution." Cut through the cautious, and at times confusing, language and at least you can appreciate that SuperValu is doing the right thing. How timely it has been in doing that is harder to fathom.
The statement says that the earliest period the data could have been compromised was June 22nd, through to July 17th at the latest. What isn't 100% clear is exactly when the breach was discovered, although SuperValu does state it "took immediate steps to secure the affected part of its network" and that "an investigation supported by third-party data forensics experts is on-going to understand the nature and scope of the incident." What is clearer, however, is that 180 stores and stand-alone liquor outlets appear to have been involved including those operated under the banners of Cub Foods, Farm Fresh, Hornbacher’s, Shop ’n Save and Shoppers Food & Pharmacy banners. SuperValu states that it doesn't believe any of its 'Save-A-Lot' stores were impacted.
George Anderson, Director at security vendor Webroot, says he thinks "it’s actually refreshing to see how well SuperValu has handled the incident." Anderson cites numerous companies which have experienced harsh criticism for covering up breaches and not being transparent with customers, leaving them vulnerable to phishing attacks. "SuperValu on the other hand" he reckons "is a brilliant example of how a breach should be managed – openly providing information, informing customers, opening the investigation and offering free identity management service for those who could have been affected by the breach. Such actions show that the company has the right attitude to cyber security – accepting the fact that a cyber-attack is a matter of time, rather than a possibility and ensuring the right mitigation plans are put in place should the worse happen."
Meanwhile, Steve Hultquist who is chief evangelist at RedSeal Networks, say that this attack looks similar to the one that hit Target last year. "Retailers were warned at the time that more of them had likely been attacked" Hultquist explains "these breaches continue to demonstrate the sophistication of the attackers and the reward they receive being worth the investment they make in their attacks."
Investments which mean organizations must likewise increase their defensive investments, especially in the analysis of potential attack vectors. "Simply reacting while attacks are in progress is insufficient" Hultquist warns, concluding "each enterprise must know its network security architecture and have automated analysis to ensure that the entire end-to-end network complies with its policies. Not doing so is effectively agreeing to be attacked in unknown ways and having to deal with the impacts of a breach."