If there's a sliver of good news to come out of the data breach affecting an estimated 2.4 million payment cards at St. Louis-based Schnucks grocery store chain, it's that the card data didn't come attached to a loyalty program.
If fraudsters get their hands on information related to card-linked loyalty programs, they can obtain the consumer's address, e-mail address and other personal information "to cause considerable damage," says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
"In this case it appears only the card data [numbers] was breached," Conroy adds.
Still, with that card data, an "enterprising fraudster with knowledge of data" can possibly trick a call-center representative into disclosing other information, Conroy says.
Schnucks Markets Inc. alerted its customers this week that credit and debit cards used in 79 of its 100 stores in five Midwestern states may have been breached over a period from December, 2012 to March 29, 2013.
The store emphasized in a press release that only the card number and expiration date of the cards had been breached, not "the cardholder name, address or any other identifying information."
Schnucks had previously alerted customers it had been a victim of a cyberattack and that the incident was contained. But the grocery chain provided more details this week, such as the estimated number of cards.
In apologizing to his customers, chairman and CEO Scott Schnuck said in the press release, "Over the years, technology has helped us deliver superior customer service, but it also introduces risks that we have actively worked to manage through compliance audits, encryption technology and various other security measures."
Many Schnucks customers had reported fraudulent charges on their cards, some for thousands of dollars, the Associated Press reports. One St. Louis area man reportedly has sued Schnucks, claiming the chain failed to act properly.
After contacting the FBI, Schnucks hired Virginia-based cybersecurity firm Mandiant to investigate the breach. Mandiant identified malicious software in the Schnucks system that allows an attacker access to card numbers. It applied a patch to fix the breach in late March, Schnucks states in the release.
Individual stores are posting information cards to provide customers more details about the breach, says Schnucks spokeswoman Lori Willis in a phone interview.
"We've never experienced anything like this in the St. Louis area, so we're trying to learn more about it (cyberattacks) as well," Willis says. "The investigation is ongoing, and there isn't any more information to share with our customers at this point."
Schnucks took the proper approach in its timing for informing customers of the breach, Conroy says.
"Quite often, there is a delay in making a data breach public because you want an investigation and forensics to determine why, and you are also trying to catch the bad guys," Conroy says.
It's becoming common for investigators to find malware on a point-of-sale system because the back end of the system is somehow not sealed, Conroy adds.
Malware attacks can be a significant problem for small businesses using PC-based point-of-sale systems, as New England café chain The Works Bakery Café learned this year when suffering a breach.