Schnucks still dealing with fallout from credit-card fraud

MARYLAND HEIGHTS, Mo. -- The suburban St. Louis-based grocery store chain Schnucks is among the latest hacker targets, and experts say many companies are struggling to keep up with increasingly sophisticated attacks.

Schnuck Markets Inc. said last month that credit and debit card data from its customers had been hacked. The company said it hired an outside firm to investigate how it happened.

The breach led to fraudulent charges on the cards. No one knows how many were compromised, but experts told the St. Louis Post-Dispatch it likely was in the tens of thousands.

Schnucks said on March 30, two weeks after the attack was detected, that the breach was "found and contained." The Post-Dispatch reports the attack could cost Schnucks millions of dollars in money lost from angry customers, investigation charges and other costs.

Schnucks has not disclosed the nature of the attack, the storage location of its data or the time frame of the breach. Spokeswoman Lori Willis said the company did not "want to provide a road map" for other hackers.

Schnucks isn't alone. In February, the Arizona-based grocery store chain Bashas' announced a breach of its network.

"This has been going on with grocery stores around the country," said Jim McKee, of the St. Louis-based Red Sky Alliance, a cyber-intelligence network. "I think if someone compared the data, they'd find some similarities there."

Information technology experts say that as the data security industry tries to keep pace with hackers, the bad guys always seem to be a step ahead.

"It's a phenomenal problem," said Tom Johnson, an associate vice president at Webster University who serves on a U.S. Secret Service electronic crime task force. "The problems we have, the amount of attacks, they're much more sophisticated than they were before."

Jon Oltsik, a data security expert with Enterprise Strategy Group in Milford, Mass., agreed.

"There's a lot of bad guys out there. You can go and attack Bank of America or Wells Fargo, but those guys have the best security people," Oltsik said. "If you go a couple tiers down, and look for regional players, even a semi-sophisticated hacker can get in easily. They don't have the resources to protect against this."

Major credit card companies have developed data security standards that any entity that processes credit cards has to maintain. For example, companies must install firewalls and forbid using pass codes that come with applications. The standards also outline how credit card data should be stored.

Schnucks said it is a "Level 1" merchant, meaning it processes more than 6 million card transactions a year. As a result, it is required to undergo quarterly network scans and an annual audit.

------

Information from: St. Louis Post-Dispatch, http://www.stltoday.com