ST. LOUIS (AP) — Up to 2.4 million credit cards and debit cards used by customers at Schnucks grocery stores in four states may have been compromised over a three-month period, the suburban St. Louis chain said Monday.
Schnucks Markets Inc. for the first time outlined the potential breadth of the fraud that came to light last month. Many customers have reported fraudulent charges, some in the thousands of dollars.
The grocery chain contacted police and the FBI after learning of the fraud and hired a private investigation firm. It was determined that the breach dated to December.
Schnucks said its investigator, the Virginia-based cyber-security firm Mandiant, on March 28 identified Malware that would allow an attacker to access card numbers. The company's information technology unit and Mandiant completed security enhancements by March 30, prompting Schnucks to call the problem "found and contained."
A spokeswoman for the FBI declined comment.
Chairman and CEO Scott Schnuck apologized to customers for the breach.
"Over the years, technology has helped us deliver superior customer service, but it also introduces risks that we have actively worked to manage through compliance audits, encryption technology and various other security measures," Schnuck said in the statement.
Many customers have questioned why they weren't informed earlier. Some have said they'll never again shop at Schnucks.
Schnucks said it delayed offering details until the facts of the breach were more clear.
"From the outset, we have been communicating reliable facts and useful information as they became available," the statement said.
The majority of Schnucks stores are in the St. Louis area, but it operates in five states: Missouri, Illinois, Iowa, Indiana and Wisconsin. The company said 79 of its 100 stores were affected by the breach. Six of the affected stores, all in Illinois, operate under the Hilander name.
A list of affected stores is on the company's website, www.schnucks.com . It includes 50 St. Louis-area stores on the Missouri side; seven on the Illinois side of the St. Louis area; 16 others in Illinois; three others in Missouri (Cape Girardeau, Columbia and Jefferson City); two in Indiana (Evansville and Newburgh) ; and one in Iowa (Bettendorf). No stores were affected in Wisconsin.
Investigators determined that the breach involved only card numbers and expiration dates, not the cardholder's name, address and other identifying information, the statement said.
"Customers have asked me if it is safe to shop at Schnucks," Scott Schnuck said. "Yes, we believe it is, and we will work hard to keep it that way."
Schnucks warned that even though the problem was contained by the end of March, new fraud could show up. "Groups who steal credit cards from merchants will often wait and then sell the stolen credit cards in batches over time," the company said.
It urged customers to watch their accounts or contact the issuer of the card, who can monitor activity or issue a new card. Schnucks said it has also reached out to card issuers.
Today is Thursday, Aug. 21, the 233rd day of 2014. There are 132 days left in the year.
1864 -- 150 years ago: Sheriff McLaughlin had the misfortune to dislocate his right shoulder some days ago when his carriage upset. He is now able to walk about but has a very sore shoulder. 1889 -- 125 years ago: A kindergarten was started in the downtown district of Rock Island with the Misses Dodie Hawes and Grace Knowlton as teachers. 1914 -- 100 years ago: Pope Pius X died in Rome. 1939 -- 75 years ago: Rock Island's new theater was named Esquire. 1964 -- 50 years ago: The J.I. Case Co. plant in Bettendorf will add from 150 to 200 employees by Jan. 1 a spokesman for the company said today. The Bettendorf Works today had a payroll of 1,350, but an increased production schedule will require additional people. 1989 -- 25 years ago: The Illowa Council Boy Scouts of America reached and passed its campaign goal in a drive that began 14 months ago by raising more than $2.2 million for the expansion of Loud Thunder Reservation near Andalusia.