Schnuck Markets Inc. said Saturday it had “found and contained” a breach into its payment system that led to widespread fraudulent charges on customers’ credit and debit cards.
At least some customers said the news restored their confidence.
“I was going to pay cash, but I’m going to use my card now,” said Sandi Reed, standing in line at the Schnucks on Mid Rivers Mall Drive in St. Peters. “I’m OK now. I feel safe.”
A computer forensics team hired by the grocery store chain found evidence of computer code that captured magnetic stripe data on the back of customers’ cards, Schnucks said in a statement. The chain said it was still working to determine how long the issue existed as well as how many customers and stores were affected.
Police investigators have logged at least 200 complaints from victims, who shopped at stores throughout the region, while area banks have reissued thousands of credit and debit cards over the past few weeks. Fraud victims who contacted the Post-Dispatch said they had been refunded for the fraudulent charges.
The grocery store chain said it had taken comprehensive measures to block any further unauthorized access to customers’ cards. “After an extensive review, we confirmed that Schnucks was the victim of a cyberattack,” Scott Schnuck, the company’s CEO, said in the statement.
He went on to say that the security measures taken in the last 48 hours were designed to block the attack from continuing. But the company did not answer questions about when the breach occurred, where in its system hackers entered or what steps the company had taken to comply with industry security standards.
“Our customers can continue using credit and debit cards at our stores,” Schnuck said in the statement. “We apologize for any inconvenience this may have caused our customers, and we thank each of them for their patience while we worked hard to investigate their concerns.”
As consumers across the region reported fraudulent use of their cards in recent weeks, some law enforcement officials encouraged shoppers to use only cash or checks when shopping at Schnucks.
Investigators and fraud experts have said it could be some time before customers notice their cards have been compromised, so their investigations will continue. Typically hackers gain access to credit card information, then sell it on the Internet to second- and third-party buyers. The stolen information is often encoded into counterfeit cards, which are then sold on the black market. The sellers, however, may take months to sell the data after they gain access to it, which means more fraudulent charges could appear.
Investigators, including the Secret Service, which investigates financial fraud, have said they are waiting for the results of Schnucks’ forensic investigation before they can proceed with criminal investigations. They continued to log new reports of fraud through Friday.
Schnucks says it is working with the Missouri attorney general’s office, law enforcement and credit card companies to determine the magnitude of the breach and catch the criminals.
In recent weeks, customers at Schnucks stores found unauthorized charges on their debit and credit cards made in states around the country and at all types of businesses, from gas stations to big box stores. Investigators have said they’ve noticed a pattern in the charges that raised red flags — first a small “test” charge to make sure the bogus card works, then a larger charge a short time later. Some cards were charged thousands of dollars.
Lori Willis, a company spokeswoman, said she could not provide further details on Saturday about the attack or what the enhanced security measures entailed. “I can’t really say anything as to the type of the breach other than to say it was a cyberattack of proportions of which we have yet to determine,” she said.
Many customers have been upset that Schnucks has not been more forthcoming with details about the breach.
Asked about why Schnucks had not said more up until now, Willis said: “We wanted to make sure we kept information contained to what we absolutely knew. ...We provide the best information we were able to provide at every turn, and we will continue to do so as this investigation continues.”
When asked if the stores had seen a dip in traffic, Willis said that overall customers had been very supportive.
“We have been talking directly with customers during the entire time” by answering questions that have come into the chain’s consumer affairs division, she said.
But several customers who have contacted the Post-Dispatch said they got no answers when they called that number.
The company had also been silent about the issue on its Facebook page for several days, not responding to dozens of questions and comments about the breach. Then on Saturday morning, it posted a link to its statement about the breach being “found and contained.”
In response to that post, some commenters expressed support of Schnucks, saying the grocery chain was one of the victims.
But others expressed anger that Schnucks did not make customers aware of the issue sooner so they could stop using their credit cards in the stores and immediately identify fraudulent transactions.
In its statement, Schnucks said that as it identifies cards that may have been accessed, it will notify banks so they can take preventive measures. So even if a card has not had fraudulent charges on it, the bank may still cancel and reissue that card.
Schnucks advised customers who suspect their cards may have been compromised to immediately contact their credit or debit card company.
Lisa Brown of the Post-Dispatch contributed to this report.