Supervalu: Linked to Other Breaches?Security Experts See Common Threads in Retail Attacks
As details about the payments breach that struck select supermarkets owned by Supervalu and Albertsons continue to unfold, security experts say it's likely this latest attack is linked to other recent merchant breaches (see Supermarket Chain Reveals New Breach).
While it could take several weeks to months for the chains to reveal definitive details from their forensics investigations, experts say memory-scraping vulnerabilities within the chains' point-of-sale devices and software are likely to blame.
"From my perspective, what is clear with this recent data breach and all the big-box retailers being breached recently is that there does appear to be underground hackers - a gang, organized crime, loose group of hackers - that have been targeting these organizations," says Jon Clay, senior manager of threat research at security firm Trend Micro.
Until retail POS systems protect and encrypt data in memory, they will be susceptible to these types of attacks, experts agree.
"This has caused a slew of data breaches at big-box retailers of late and also caused major risks for consumers who are starting to feel distrust in using their credit cards and debit cards to purchase goods at these stores," Clay says.
Latest in a Series of Breaches
Since late 2013, a number of retail breaches have received national, and in some cases international, attention. The POS breaches that impacted the likes of Target Corp., Neiman Marcus, Sally Beauty and Michaels were just the beginning, as the industry has learned over the last eight to nine months. Most recently, the POS breach at P.F. Chang's China Bistro and the suspected breach at Goodwill Industries have garnered increasing industry attention, because both are suspected to have been linked to remote-access compromises, which are on the rise (see POS Vendor: Possible Restaurant Breach).
"It's apparent and evident to me that the hackers have compromised various retail point-of-sale vendor software in a big way, and the public is just hearing about this in dribs and drabs," she says. "At some point, hopefully, law enforcement will uncover the ring(s) behind this and put an end to it. Until then, payer beware. I think we have to assume a big portion of POS systems in this country are compromised, or will be in short order."
Details about Supervalu Attack
On Aug. 14, Supervalu said that its network was likely breached on June 22 and that the intrusion continued until July 17. So far, the company has identified 180 Supervalu stores and standalone liquor stores that may have been compromised.
The impacted store brands include Cub Foods, Farm Fresh, Hornbacher's, Shop 'n Save, and Shoppers Food & Pharmacy.
Albertsons locations also may have been impacted by the breach, Supervalu says. Supervalu, which in January 2013 sold 877 of its stores to Albertsons' parent AB Acquisition LLC, continues to serve as a third-party IT services provider for those stores.
The possibly impacted brands include Albertsons, Acme Markets, Jewel-Osco, Shaw's and Star Markets, the company says.
How attackers compromised Supervalu and Albertsons has not been revealed.
But John Buzzard, who oversees FICO's Card Alert Service, says the attack could have been facilitated by something simple, such as the theft of a technician's username and password used to remotely access the terminals. The two supermarket chains share IT services, so it's very possible their POS devices were likely connected to the same network using the same software, he says.
And because standalone liquor stores also were compromised, it could mean that the same credentials were even used to access multiple systems, Buzzard adds. Or, because Supervalu served as a third-party service provider, the hackers may have gotten in through a lateral attack - the same type of third-party attack that compromised Target at the end of last year, he says.
"Injected malware may simply have wormed and tunneled its way into other segments of the network where the standalone data was stored," Buzzard says "Only the forensic investigation will truly reveal what happened here."
No Reported Fraud - Yet
So far, no card fraud has yet been linked to the Supervalu and Albertsons breaches. But Buzzard says that may not be the truth for long, as issuers are just now going through their reports to compare the timelines and geographies. "This particular intrusion surprised a lot of people," he adds.
Andrew Komarov, a threat researcher and CEO of cyberintelligence firm Intelcrawler, says even retailers that are not connected to the same network are usually susceptible to the same types of attacks because most of them are Windows-based.
"Most of the malware is oriented for Windows-based terminals, providing RAM [memory] scraping functions in order to extract track 2 [magnetic-stripe] data," which is where card data, such as number and expiration date, is stored.
"That's why it will work on any device where it is possible to dump a process memory," he adds.
But he also says, like Buzzard, that many of these attacks are being facilitated because of the theft of administrative credentials. "They gain access to the back-office systems, using a supervisor's credentials, and then attack all connected terminals within the network, if they are located in the same environment, such as using a VPN [virtual private network]," Komarov says.