Schnucks: 2.4 million credit, debit cards at risk; Cape store among locations potentially affected

ST. LOUIS -- Up to 2.4 million credit cards and debit cards used by customers at Schnucks grocery stores in four states may have been compromised during a three-month period, the suburban St. Louis chain said on Monday.

Schnucks Markets Inc. for the first time outlined the potential breadth of fraud that came to light last month. Many customers have reported fraudulent charges, some in the thousands of dollars.

The Cape Girardeau store was listed as one potentially affected, according to a news release from the grocery chain. The period cards may have been compromised was Dec. 1 to Feb. 2.

Cape Girardeau Schnucks general manager Dennis Marchi wasn't available Monday, and management at the local Schnucks store declined to comment. Late last month Marchi told the Southeast Missourian he had not heard any reports of fraud connected to the local store.

The chain contacted police and the FBI after learning of the fraud and hired a private investigation firm. It was determined that the breach dated to December.

Schnucks said its investigator, the Virginia-based cybersecurity firm Mandiant, on March 28 identified malware that would allow an attacker to access card numbers. The company's information technology unit and Mandiant completed security enhancements by March 30, prompting Schnucks to call the problem "found and contained."

A spokeswoman for the FBI declined to comment.

Chairman and CEO Scott Schnuck apologized to customers for the breach.

"Over the years, technology has helped us deliver superior customer service, but it also introduces risks that we have actively worked to manage through compliance audits, encryption technology and various other security measures," Schnuck said in the statement.

Many customers have questioned why they weren't informed earlier. Some have said they'll never again shop at Schnucks.

Schnucks said it delayed offering details until the facts of the breach were more clear.

"From the outset, we have been communicating reliable facts and useful information as they became available," the statement said.

The majority of Schnucks stores are in the St. Louis area, but it operates in five states: Missouri, Illinois, Iowa, Indiana and Wisconsin. The company said 79 of its 100 stores were affected by the breach. Six of the affected stores, all in Illinois, operate under the Hilander name.

A list of affected stores is on the company's website, www.schnucks.com. It includes 50 St. Louis-area stores on the Missouri side; seven on the Illinois side of the St. Louis area; 16 others in Illinois; three others in Missouri [Cape Girardeau, Columbia and Jefferson City]; two in Indiana [Evansville and Newburgh]; and one in Iowa [Bettendorf]. No Wisconsin stores were affected.

Investigators determined the breach involved only card numbers and expiration dates, not the cardholder's name, address and other identifying information, the statement said.

"Customers have asked me if it is safe to shop at Schnucks," Schnuck said. "Yes, we believe it is, and we will work hard to keep it that way."

Schnucks warned that even though the problem was contained by the end of March, new fraud could show up.

"Groups who steal credit cards from merchants will often wait and then sell the stolen credit cards in batches over time," the company said.

It urged customers to watch their account statements or contact the issuer of the card, which can monitor activity or issue a new card. Schnucks said it also has reached out to card issuers.

Pertinent address:

19 S. Kingshighway, Cape Girardeau, Mo.