SuperValu discloses data breach involving Cub Foods and other stores

SuperValu says hackers broke into its computer network and might have stolen credit card data.

The grocery distributor and retailer Friday acknowleded a "criminal intrusion" into the section of its computer network that processes payment card transactions.

The break-in involves transactions from June 22 to July 17 at more than 200 grocery stores across the country, including many Cub Foods. The breach may have resulted in the theft of account numbers, names, and other information from credit and debit cards used, SuperValu said.

The Eden Prairie-based company secured its systems as soon as the intrusion was discovered and it's safe for customers to use their payment cards, said SuperValu spokesman Jeff Swanson.

"The company has no evidence of any misuse of the card data," he said. "However, out of an abundance of caution, we're wanting to make sure and provide this announcement in the hopes of helping notify and inform our customers."

Swanson would not say how many customers may have had personal data compromised. But he did say the attack affected 209 stores the company either owns, or services for franchisees.

That includes nearly 60 Cub Foods and Cub Liquor stores in Minnesota, plus five Hornbacher's locations in the Fargo-Moorhead area. (See the list of stores here.)

Grocery stores in Illinois, Virginia, Maryland, Missouri and North Carolina were also affected. Swanson says the intruders broke into the system that processes payments at checkout lanes.

The attack on Supervalu is similar to what happened to Target, where thieves made off with 40 million payment card numbers and the personal information of 70 million people by hacking the company's point-of-sale system, said Mark Lanterman with Computer Forensic Services, a Minnetonka-based cyber security firm.

These systems are tempting for cyber criminals, especially those who are out of reach of American prosecutors, Lanterman said, adding, "There's high monetary reward and very low risk of being detected."

Even with the latest security software, "If there is a breakdown in how people and how security employees are interpreting the data, the hackers can still fly under the radar," he said.

Cyber break-ins have been reported in recent months by luxury retailer Nieman Marcus, coupon website LivingSocial and the french telecom company Orange SA.

Earlier this month a security firm reported Russian criminals had amassed a cache of 1.2 billion usernames and passwords.

The attack on Supervalu comes as the company has struggled to compete with lower-priced rivals.

Last year it sold off five of its chains, unloading about $3 billion of debt in the process.

Data thefts can add hundreds of millions of dollars to a company's costs. Target has disclosed $235 million in related expenses, some of which was covered by insurance.

But the SuperValu breach will not affect the company's credit rating, the bond rating agency Standard & Poor's said Friday. S&P analysts say in other similar instances, the costs associated with stolen data are manageable.

Despite those assurances, investors sent the company's share price down 3 percent in Friday trading.

Grocery consultant David Livingston doesn't think the situation will hurt Supervalu with shoppers, mainly because it's a story consumers have heard many times before.

"Most consumers are numb to it because these stories come out every day, and they don't have anything disturbing their lives as a result of it," he said. "Now, it's not very alarming."

Supervalu did the right thing by going public, something that many other retail companies likely have not done, Livingston added.

Target acknowledged a data breach four days after confirming one had taken place, but in that case a security blogger had already disclosed the attack.

SuperValu is directing customers to its website, offering ID protection to customers and says customers should monitor their accounts for suspcious activity.