supervaluYet another retail chain has experienced a data breach that likely involved customer credit card data. In what they are calling a Criminal Computer Intrusion, Supervalu announced that a breach involving several of their chains occurred in the range of dates: June 22 through July 17.

We’ll keep you Informed about the breach as information becomes available.

Contact your bank or credit card if you think you may have used your card in an affected related store during the dates indicated (see below).

The company has posted an all too standard message by its President and CEO Sam Duncan that, “the safety of our customers’ personal information is a top priority for us.” Undoubtedly sincerely, but somewhat lacking given the similar messages from retailers who have been recent breach victims, including Target, Nieman Marcus and Michaels, the restaurant chain P.F. Changs, and others.

The company is working with third-party experts as well as federal law enforcement to investigate the breach. In a public statement on its website, the company stated that,

SUPERVALU believes the intrusion has been contained and is confident that its customers can safely use their credit and debit cards in its stores.

Aside from the technical details of the breach, two things occur to us as worthy of follow-up:

–          As shown in Verizon’s 2014 Data Breach Investigations Report, “92% of security incidents we analyzed are covered by just nine attack patterns,” which suggests that retail chains are not learning from each other’s misfortunes.

With the increasing frequency of data breaches involving retail chains, how do chains react upon learning of a breach in another chain? Do they perform internal audits based on recent breaches, ensuring that a similar breach couldn’t happen at their stores?

A best practices approach would – one would hope – result in companies learning from each other. But, how much learning is actually happening?

–          What’s involved in ‘insurance for cyber threats’ for such a retail chain? One thing is the amount that the retailer is insured for – surely tens, if not hundreds, of millions of dollars.

The other side of the coin is the requirements placed on the retailer by the insurance company. We assume that it is the insurance company’s money that is involved in any potential payout against the policy. As such, what requirements and precautions are required of the retailer in order for the policy to be paid? What learnings are the insurance companies building into each successive version of their ‘cyber threat’ policy?

Contact your bank or credit card if you think you may have used your card in an affected related store during the dates indicated:

SUPERVALU believes that the payment cards from which such cardholder data may have been stolen were used during the period of June 22 (at the earliest) through July 17 (at the latest), 2014, at the 180 SUPERVALU stores and stand-alone liquor stores listed at under the Consumer Security Advisory section, operated under the Cub Foods, Farm Fresh, Hornbacher’s, Shop ’n Save and Shoppers Food & Pharmacy banners.  The intrusion may also have resulted in the theft of such cardholder data from some cards used during this period at 29 franchised Cub Foods stores and stand-alone liquor stores, which are included in the store list referenced on the SUPERVALU website.  SUPERVALU currently believes that the intrusion did not affect any of its owned or licensed Save-A-Lot stores or any of the independent grocery stores supplied by the Company through its Independent Business network other than the franchised Cub Foods stores referenced above.