What Can Be Learned From the Schnucks Security Breach?
Schnuck Markets has always had the confidence of consumers living in and around its home market of St. Louis. It remains to be seen how much that confidence has been shaken in light of revelations that a recent security breach went on for months before being detected by the grocery chain.
According to Schnucks, the data breach spanned from December 2012 to March 29, 2013 and may have compromised 2.4 million credit and debit cards used in 79 of its 100 stores. Hackers, according to the chain, gained access to card numbers and expiration dates, but not the cardholder’s name, address or any other identifying information.
Scott Schnuck, chairman and CEO of the family-owned chain, apologized to those affected by the security breach.
"We’ve worked hard to provide a secure transaction environment for our customers and, today I make a personal pledge to you that we will be relentless in maintaining the security of our payment processing system," said Mr. Schnuck. "We expect that the actions we have taken and will take in the future will send a clear signal that our customers may continue to trust us."
![[Image: Schnucks]](/public/images/discussions/16708/schnucks-still.jpg)
Schnucks has come under some criticism and faces at least one class action lawsuit for not alerting customers quickly enough when unauthorized card use first came to light.
According to the company, management first learned of possible issues on March 15 and launched an investigation on March 19. Schnucks brought in an outside firm to conduct an investigation and the problem was identified on March 28. The company addressed the breach and had, according to a St. Louis Post-Dispatch report, a "containment plan" in place within 36 hours. Schnucks has since alerted banks and credit card companies about potentially compromised cards.
While Schnucks maintains it has complied with data security requirements and even passed an audit last November, security experts say that is not enough. The Post-Dispatch reported that mid-sized chains such as Schnucks are seen as more vulnerable by hackers. Earlier this year, Bashas’ in Arizona reported that its security had been breached, as well.
- Schnucks Releases Details of Card Issue as Investigation Nears End – Schnuck Markets, Inc.
- Schnucks says 2.4 million cards may have been compromised – St. Louis Post-Dispatch
- Cyberattack against Schnucks moves to court – St. Louis Business Journal (Sub. required)
- Bashas’ asks customers to monitor cards after cyber attack – Arizona Republic
Discussion Questions
Do retailers have the talent and resources to effectively deal with continuing attempts to breach IT security? How well do you think Schnucks reacted when it first learned of a potential problem? How would you have managed a similar crisis if you were leading a mid-size chain such as Schnucks?
First of all, hackers get more sophisticated all of the time. And as Anonymous has demonstrated over and over again, even the most “secure” computer systems aren’t all that secure.
So, cut the Schnucks a break on Question One. Could they spend a fortune and higher the best anti-hackers on earth? Of course. Would that stop a really dedicated hacker? Probably not. Has IT security grown past “homegrown talent”? Well, sadly yes.
On the reaction time issue. Look, they had to determine what had been taken so, again, give them some credit for not jumping the gun or panicking. That said, is prompt disclosure the order of the day? Absolutely! Customers’ finances hang in the balance and so every minute is critical.
I guess I would have tried to get in front of it a bit faster and more aggressively. The issue isn’t whether or not you can be hacked, it’s what you do when you are.
Big data, big data, big data. It all sounds wonderful and all consumers are supposed to do is have faith that it won’t intentionally or unintentionally be abused or compromised by those collecting it.
These issues have been discussed here before, like in my article “Can You Say ‘Returns Harassment?” As long as the data collectors/users offer anything less than 100% vigilance and commitment to ironclad security BEFORE there’s a breach, we’ll be having this discussion again and again.
Once again, hackers have shown that they’re at least one step ahead of the good guys.
Retailers should go ahead and purchase some of the more sophisticated tools that can show whether a network is compromised, and see data security as a larger issue than PCI compliance.
As one who is deeply into a new venture relating to software integrity and cyber-crime this piece caught my attention. Maybe I need to get out more, but I’ve never heard of Schnucks though here we are discussing a huge integrity problem that matters to 2.4 million people. Frankly, compared to the ‘real’ cyber problems out there where many hundreds of millions are lost and our very safety compromised, this ‘little’ issue barely deserves the space.
In the US alone, the combined cost of incredibly faulty software (known as the most poorly produced product since the first axe at the dawn of time) and cyber-crime is around $2.2 trillion annually. It’s over $6 trillion globally.
65% of small and mid-sized companies are not protected from intrusion; 20% have partial protection; 3% aren’t sure what they’ve got and only 12% have what might be called “full protection.” Is retail at risk? Does Jos. A. Bank ever have a sale?
What organizations typically do is spend a whack of money putting new locks on the metaphorical front door. Meanwhile the forgotten basement window hasn’t been locked for years. Hackers don’t go to the front door as you know! What we need to see is that the starting point is in our software stew. We have apps all over the place without a clue as to their integrity or even their compatibility. New programs are assumed to have faults (our standards have gotten very low) and even the “fixes” and upgrades have faults.
What I’m saying is that the solution STARTS with ensuring the integrity of your software, not with adding a whole bunch of “security.”
We are not living in the Land Of Oz anymore, and it sickens me to see what is happening out there to many businesses who try to do the right thing, only to have these scumbag hackers try to wreck their business.
It will only get worse, as it seems to be growing, because the criminals have all the time in the world to do harm, rather than using their skills for good.
Am I on a rant here? Yes, and taking business out of the equation, some extremely strong penalties need to be levied on these folks who do harm to our way of life.
I feel better now, so back to work for me.
Given the dynamic nature of hacking, no one has the skills to completely block hacking 100% of the time. Even large organizations have been hacked. Getting on top of the problem immediately, bringing in experts to examine the situation immediately, and communicating with consumers immediately are all necessary. While the retailer may not be able to announce the cause immediately, there should be communication about what steps are being taken. This is a form of crisis management that every company should prepare for and have a contingency plan available.
Almost no retailers have adequate data security. For the most part, this shouldn’t be a worry for consumers unless you shop at one of the third tier retailers who collect and store data on their customers via their clubs and loyalty programs. Now all of these weak retailers are going to have to spend millions to protect consumer data or suffer larger losses in a courtroom.
Isn’t it amazing that retailers like Walmart and Publix don’t have to worry about stuff like this? Schnucks did the best they could with what they had. Note that they had to bring in an outside firm! I would strongly suggest to every retailer that they manage their receivables in a manner that doesn’t require them to hold information on credit cards. Why was this necessary? Shouldn’t the credit card transaction be between the consumer, clearinghouse and the bank? Why does the retailer have to be involved? Why does the retailer have this information?
Retailers may not have a prayer at preventing a data breech by a most determined hacker. You take all the prudent steps you can afford to harden the silo and then hope for the best. Acceptance of this hard reality leads to some wiser choices, however.
Every consumer-facing business that collects identity data is a potential target. So as a matter of good practice, every business must maintain a written security response plan that includes mechanisms and time frames for customer notification.
There is no excuse for delay, denial or debate in these circumstances. With a written plan in place, corrective action can begin immediately once a breech is detected. This helps to limit the damage and maintain customer trust.