Schnuck Markets, Inc
SCHNUCKS PROVIDES ADDITIONAL INFORMATION ON CREDIT CARD ISSUE
We announced on March 30 that we had found and contained the issue. We strongly believe our containment measures were successful – we have not seen any indication of unauthorized access since those measures were implemented.
Please be assured that the security of our customers’ information is a top priority. We have been working non-stop to contain this issue, protect customers whose cards may have been accessed, and implement security enhancements to prevent a reoccurrence. Since we found and contained the issue, our forensic investigation has been focused on identifying each store that was affected and the dates during which cards could have been accessed at each store. As soon as we complete that analysis in the coming days, we will provide that information to the credit card companies so that they can notify all of the banks who issued cards that may have been accessed. Those banks will then be able to conduct additional monitoring of those cards or cancel and reissue new cards. We will also post a list of those stores and the timeframes on our website.
We have been listening intently to our customers since this incident first began. Our Consumer Affairs department has talked to more than 1,500 of our customers – providing as much accurate information as was available in addition to identifying steps that they could take to protect themselves from fraudulent charges. We have also been working with state and federal law enforcement authorities, including the Missouri and Illinois Attorneys General, the Secret Service, and the FBI.
There are two additional perceptions we want to address:
• Schnucks did not know on March 15 that it had been the victim of a cyberattack. Rather, Schnucks was informed by credit card companies on Friday, March 15 that banks had detected fraud on 12 different credit cards that had been used at Schnucks. We immediately began an investigation, and engaged forensic investigators from Mandiant, the leading payment card industry forensic investigation firm. When Mandiant found the first indication of a cyberattack on March 28, Schnucks’ IT department worked with Mandiant for the next 36 hours to contain the incident and block any further access to payment card data.
• Schnucks continuously works to maintain its payment card processing
environment in compliance with the Payment Card Industry Data Security Standards (PCI DSS). Schnucks hires a third party security assessor every year to validate its compliance with PCI DSS. At the most recent annual audit in November 2012, Schnucks was validated by its assessor as PCI DSS compliant.
If you have any additional questions about this matter, please feel free to call 1-888-414-8022 (Monday – Friday 9 am - 5pm CT).