What Can Be Learned From the Schnucks Security Breach?
Schnuck Markets has always had the confidence of consumers living in and around its home market of St. Louis. It remains to be seen how much that confidence has been shaken in light of revelations that a recent security breach went on for months before being detected by the grocery chain.
According to Schnucks, the data breach spanned from December 2012 to March 29, 2013 and may have compromised 2.4 million credit and debit cards used in 79 of its 100 stores. Hackers, according to the chain, gained access to card numbers and expiration dates, but not the cardholder’s name, address or any other identifying information.
Scott Schnuck, chairman and CEO of the family-owned chain, apologized to those affected by the security breach.
"We’ve worked hard to provide a secure transaction environment for our customers and, today I make a personal pledge to you that we will be relentless in maintaining the security of our payment processing system," said Mr. Schnuck. "We expect that the actions we have taken and will take in the future will send a clear signal that our customers may continue to trust us."
Schnucks has come under some criticism and faces at least one class action lawsuit for not alerting customers quickly enough when unauthorized card use first came to light.
According to the company, management first learned of possible issues on March 15 and launched an investigation on March 19. Schnucks brought in an outside firm to conduct an investigation and the problem was identified on March 28. The company addressed the breach and had, according to a St. Louis Post-Dispatch report, a "containment plan" in place within 36 hours. Schnucks has since alerted banks and credit card companies about potentially compromised cards.
While Schnucks maintains it has complied with data security requirements and even passed an audit last November, security experts say that is not enough. The Post-Dispatch reported that mid-sized chains such as Schnucks are seen as more vulnerable by hackers. Earlier this year, Bashas’ in Arizona reported that its security had been breached, as well.
- Schnucks Releases Details of Card Issue as Investigation Nears End – Schnuck Markets, Inc.
- Schnucks says 2.4 million cards may have been compromised – St. Louis Post-Dispatch
- Cyberattack against Schnucks moves to court – St. Louis Business Journal (Sub. required)
- Bashas’ asks customers to monitor cards after cyber attack – Arizona Republic
Do retailers have the talent and resources to effectively deal with continuing attempts to breach IT security? How well do you think Schnucks reacted when it first learned of a potential problem? How would you have managed a similar crisis if you were leading a mid-size chain such as Schnucks?