Schnucks Will Post List Of Stores Hit By Cyberattack

The grocer is still investigating the scope of a data breach that compromised debit and credit card information.

A Schnucks spokesperson Tuesday could not specify exactly when, but said the grocer will identify a list of stores impacted by a cyberattack last month which left customers vulnerable to identity theft and fraudulent charges on their debit or credit cards along with a timeframe if when they were vulnerable.

The Maryland Heights-based company has already announced that it had "found and contained" the problem, but hasn't said exactly how it happened. "We have nevere spoken to scope of this because we just don't know it," Lori Willis said by phone Tuesday morning.

The company released a weekend statement updating the situation, which you can read below.

"We announced on March 30 that we had found and contained the issue.  We strongly believe our containment measures were successful – we have not seen any indication of unauthorized access since those measures were implemented.

Please be assured that the security of our customers’ information is a top priority.  We have been working non-stop to contain this issue, protect customers whose cards may have been accessed, and implement security enhancements to prevent a reoccurrence.  Since we found and contained the issue, our forensic investigation has been focused on identifying each store that was affected and the dates during which cards could have been accessed at each store.  As soon as we complete that analysis in the coming days, we will provide that information to the credit card companies so that they can notify all of the banks who issued cards that may have been accessed.  Those banks will then be able to conduct additional monitoring of those cards or cancel and reissue new cards.  We will also post a list of those stores and the timeframes on our website.

We have been listening intently to our customers since this incident first began.  Our Consumer Affairs department has talked to more than 1,500 of our customers – providing as much accurate information as was available in addition to identifying steps that they could take to protect themselves from fraudulent charges.   We have also been working with state and federal law enforcement authorities, including the Missouri and Illinois Attorneys General, the Secret Service, and the FBI.

 There are two additional perceptions we want to address:

•       Schnucks did not know on March 15 that it had been the victim of a cyberattack.  Rather, Schnucks was informed by credit card companies on Friday, March 15 that banks had detected fraud on 12 different credit cards that had been used at Schnucks.  We immediately began an investigation, and engaged forensic investigators from Mandiant, the leading payment card industry forensic investigation firm.  When Mandiant found the first indication of a cyberattack on March 28, Schnucks’ IT department worked with Mandiant for the next 36 hours to contain the incident and block any further access to payment card data.

•       Schnucks continuously works to maintain its payment card processing environment in compliance with the Payment Card Industry Data Security Standards (PCI DSS).  Schnucks hires a third party security assessor every year to validate its compliance with PCI DSS.  At the most recent annual audit in November 2012, Schnucks was validated by its assessor as PCI DSS compliant.

 If you have any additional questions about this matter, please feel free to call 1-888-414-8022 (Monday – Friday 9 am - 5pm CT)."

Willis told Patch that the consumer affairs division has heard from an out of state customer in Iowa and that while nothing is being ruled out, the problem seems to be focused on the St. Louis area.

Experts have said that even though the issue was contained, customers should still be vigilant with their account statements, since the information which was compromised may still be in the process of being sold or otherwise passed on to other people who may still yet incur fraudulent charges

Des Peres April 19, 2013 at 03:53 PM
My card was compromised. Des Peres. Bank prevented. Had to have new card and deal with changing my auto pays. Schnucks is not listening to customers "intently". I called to report my situation. Customer Service rep. did not care. Schnucks is not providing any type of identity theft prevention coverage. I spoke to Exec Office. She was unbelievably rude. Schnucks has lost my business not due to the breach but due to how I was treated/handling when I reported the situation - as we were asked to do. Dierbergs will get all my business.
Melissa Campbell May 01, 2013 at 11:37 AM
Just got fraudulent charges on my card 4/28/13. I mostly shop at the one on Dunn rd. but I have also shopped at the one on Lindburg and once in Eureka MO.
Jeanie Schmidt May 29, 2013 at 12:06 PM
Jeanie I never use my credit card at schnucks or any other store for that matter but it got compromised & used for many purposes in London, England. Commerce bank alerted us & took care of it. I now carry my checkbook with me. I hear WalMart shoppers are being effected also.
Jeanie Schmidt May 29, 2013 at 12:08 PM
I try to avoid Schnucks but have not given up on them entirely.
Jeanie Schmidt May 29, 2013 at 12:10 PM
Jeanie I never use my Credit Card at Schnucks or any other store but it got compromised & purchases were made in London, England. Our Commerce Bank alerted us & took care of the situation.


More »
Got a question? Something on your mind? Talk to your community, directly.
Note Article
Just a short thought to get the word out quickly about anything in your neighborhood.
Share something with your neighbors.What's on your mind?What's on your mind?Make an announcement, speak your mind, or sell somethingPost something
See more »