The Schnucks supermarket chain struggled for two weeks to find the source of a breach after being alerted to a possible leak of credit card info by its card processing company. During that time, Schnucks apparently continued exposing the debit and credit card data of people who shopped at its stores.
Details about the breach were released Monday after an investigation into what happened.
Schnucks is a St. Louis-based supermarket chain that owns 100 stores and 96 in-store pharmacies in a five-stage region in the Midwest. On March 30, the company announced that it had found and contained a data breach that had potentially exposed credit and debit card data on an unknown number of its customers.
In an update released today, Schnucks said its investigation show that data on about 2.4 million credit and debit cards used by customers at 79 stores may have been exposed. According to the company, only card numbers and expiration dates appear to have been exposed, not the cardholder's name, address or identifying information.
A detailed timeline of events posted on its site shows that Schnucks first learned of a possible intrusion on March 14. That's when the chain's card processor alerted officials about fraud on a handful of cards that had been used recently. It launched an internal investigation and quickly ruled out insider theft and point-of-sale devices as potential causes.
On March 19, the company hired security firm Mandiant to investigate further amid reports of more fraud. But even with the help of a professional security services firm, Schnucks was not able to isolate and shut down the breach until March 28. It took another 36 hours to contain the breach and bolster security to prevent a reoccurrence.
In its update today, Schnucks warned that the breach affected cards used by customers between December 2012 and March 29, 2013. That time frame suggests that the company was continuing to leak credit and debit card information between the time it was first alerted of a problem and the time it actually fixed it.
Schnucks' experience highlights the growing sophistication of such attacks and the challenges companies face in dealing with them, said Avivah Litan, an analyst with Gartner in Stamford.
"You'd think they would have figured out what to shut off or at least how to control their traffic" to prevent further data leaks, Litan said. The fact that the company was unable to locate the source of the breach for so long shows how good attackers are getting at concealing their tracks, she said.
Increasingly, attackers have been resorting to techniques like hiding stolen data inside legitimate files and encrypting data to evade detection. "They cloak their malware or hide it within seemingly innocuous files so that it's very difficult to detect," she said.
Existing forensics tools are not good enough at finding these attacks within hours, or even days, she said. "And the network and enterprise security tools are not smart enough to detect the hacking ... when it occurs.
"What's needed, and what some tech startups are working on, is behavioral modeling, base-lining and profiling of all nodes and communication ports in an internal network so that abnormal activity and communications can be detected -- even if the activity is only active a few seconds a week," Litan said.
"Of course this is very difficult to pull off without a lot of false positives and noise in the system, but this is what's needed," she added.
Jim Huguelet, principal of the Huguelet Group LLC, a firm that advises companies on compliance with credit card security standards, said the amount of time it took Schnucks to isolate the cause of the breach is longer than is typical.
"This could indicate that the malware was custom-written for Schnucks' environment or utilized unique techniques to hide its existence," he said.
"The number of cards compromised is significant given the relatively small size of the Schnucks chain and just proves that retailers of all sizes must be diligent in their protection of their payment processing systems," Huguelet said.
Schnucks did not respond to a request for comment.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.