Supermarket chain Supervalu Inc. is investigating a potential
data breach that might have affected more than 1,000 stores,
according to people familiar with the situation, the latest attack
against a big merchant in recent months.
The breach appears to have taken place in late June or early
July and may have resulted from hackers installing malicious
software onto the company's point-of-sale network, these people
said. That is the system that includes the cash register and
terminals that handle credit card and debit card transactions.
A spokesman for Supervalu didn't have any immediate comment.
The investigation is in the early stages, the people said. It
isn't clear if hackers stole customer data on credit and debit
cards, or how many people might have been affected.
Minneapolis-based Supervalu, which has 3,320 stores in all,
hasn't notified customers about the potential incident, said the
people familiar with the matter. Merchants often don't alert
customers about breaches until they know the scope of the
attack.
An attack on the company's point-of-sale system would be similar
to other recent high-profile data breaches, most notably the
massive hack that occurred at Target Corp. during the winter
holiday-shopping season. In the incident, thieves stole 40 million
payment-card numbers and the personal information of 70 million
shoppers.
Since then, hackers also have taken aim at a slew of merchants,
including luxury retailer Neiman Marcus group, restaurant chain
P.F. Chang's China Bistro Inc., and Goodwill Industries
International Inc. thrift stores.
Any new data breach is likely to stoke the growing concerns
about security among merchants, consumers and card-issuing banks.
Although shoppers usually aren't liable for purchases they didn't
make, the incidents create headaches among consumers who need to
file paperwork attesting that they didn't make the purchases.
Customers also often receive new account numbers and new cards
if theirs have been hacked.
The spate of data breaches recently has raised questions about
whether companies should always notify their customers, vendors and
authorities immediately after breaches. Some executives believe
such incidents should be kept quiet if valuable information is
stolen, even if it might be compromised.
A recent survey conducted by cardratings.com, a consumer
website, found that Americans underestimate the likelihood that
they have been the victim of a breach and also don't take the right
steps to secure their funds after a known attack.
Breaches also are costly for banks, which usually bear the cost
of fraud on cards they have issued. U.S. credit-card fraud losses
totaled roughly $18 billion last year, according to Javelin
Strategy & Research, a consulting firm that is a unit of
Greenwich Associates.
Breaches are especially damaging to merchants, which must deal
with consumers who might be worried about shopping in their stores.
Target's sales have been hurt by lingering concerns about the data
breach and other issues. The retailer has been offering big
discounts on some items to lure consumers back to its stores.
In all, Target has incurred more than $30 million in costs
associated with the data breach, according to the company.
The Supervalu investigation comes at a time when banks and
merchants are racing to roll out new technology to make card
transactions safer. Banks are ramping up plans to issue cards that
contain a computer chip that creates a unique code for each
transaction, making card data less valuable to thieves.
Merchants, meanwhile, are upgrading their computer terminals to
accept the new chip cards, which have been used for years in
Europe, Asia and Canada.
The supermarket industry has been roiled in recent years by a
wave of mergers and acquisitions. Private-equity firm Cerberus
Capital Management LP, which owns a minority stake in Supervalu,
has been especially active in the industry and earlier this year
agreed to buy Safeway Inc.
Supervalu has struggled more than other major grocery chains to
keep customers amid pressure from Wal-Mart Stores Inc., drugstores
and dollar stores ramping up their food sales. Supervalu has
brought in a new chief executive, sold five of its grocery-store
chains and eliminated up to 1,100 positions from its corporate and
store-support-center offices.
Most of Supervalu's stores are independently run but receive
their goods from SuperValu. The company also handles the
information-technology systems for those stores, as well as other
grocery chains.
Supervalu's stock price has risen about 32% this year, but it
has still lost more than one-third of its value over the last five
years.
Annie Gasparro contributed to this article.
Write to Robin Sidel at robin.sidel@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires