Card data of Supervalu and Albertsons shoppers may be at risk in another hack, the two supermarket companies said Monday.
The companies said that in late August or early September, malicious software was installed on networks that process credit and debit card transactions at some of their stores.
Albertsons said the malware may have captured data including account numbers, card expiration dates and the names of cardholders at stores in more than a dozen states. Supervalu said the malware was installed on a network that processes card transactions at several chains, but it believes data was only taken from certain checkout lanes at four Cub Foods stores in Minnesota.
The breach could affect Albertsons stores in California, Idaho, Montana, Nevada, North Dakota, Oregon, Utah, Washington and Wyoming; Acme Markets stores in Delaware, Maryland, New Jersey and Pennsylvania; Jewel-Osco stores in Illinois, Indiana and Iowa; and Shaw's and Star Markets stores in Maine, Massachusetts, New Hampshire, Rhode Island and Vermont. The Boise, Idaho-based company has a total of 1,081 stores.
Supervalu Inc. said it believes the malware was only able to capture card data from some checkout lanes at four Cub Foods locations in Minnesota because it had not finished making security improvements at those stores. The company, which is based in Eden Prairie, Minnesota, said it thinks it has gotten rid of the malware.
The malware was also installed on a network that processes card transactions at Shop 'n Save and Shoppers Food & Pharmacy stores as well as some stand-alone liquor stores, but the company thinks the malware did not capture payment card data from any stores except possibly for the four in Minnesota. Supervalu distributes food to about 1,800 independent stores, runs 1,325 stores under the Save-A-Lot name, and has 190 retail grocery stores under five different brand names, including Cub Foods.
Supervalu sold the Albertsons, Acme, Jewel-Osco, Shaw's and Star Market chains to Cerberus Capital Management in 2013, but it still provides information technology services for those stores.
The companies also disclosed a data breach in August. They said the two incidents are separate. Supervalu said that incident may have affected as many as 200 grocery and liquor stores. It said hackers accessed a network that processes Supervalu transactions, with account numbers, expiration dates, card holder names and other information.
That breach occurred between June 22 and July 17, and Supervalu said it immediately began working to secure that portion of its network. The companies said Monday that they are still investigating that incident and don't know if cardholder data was taken.
The latest breach follows big hacks that affected millions of customers at Home Depot, Target and other retailers over the past year.
Supervalu's shares slipped 8 cents to $9.05 in extended trading Monday.