A St. Louis-based grocery chain revealed Monday that hackers raided its systems to steal 2.4 million credit and debit card numbers.
The numbers corresponded to cards used by shoppers at 79 of 100 Schnucks Markets locations in the Midwest. The attacks may have persisted as long as four months, from last December through March 29.
Schnucks called in incident response firm Mandiant to conduct a forensic exam after it learned on March 15 from its credit and debit card processor that a dozen people experienced fraud on their cards after using them at Schnucks stores, a timeline showed.
On March 28, Mandiant uncovered data-stealing malware within Schnucks systems, and two days later, the threat was contained.
The company also said it is aware of fraudsters contacting Schnucks shoppers and requesting personal information by pretending to be breach investigators.
It's not clear how the breach happened, and a call to spokeswoman Lori Willis on Monday evening was not immediately returned.
"Over the years, technology has helped us deliver superior customer service, but it also introduces risks that we have actively worked to manage through compliance audits, encryption technology and various other security measures," Chairman and CEO Scott Schnuck said. "Customers have asked me if it is safe to shop at Schnucks. Yes, we believe it is, and we will work hard to keep it that way.”
Not surprisingly, the company also is facing a lawsuit, according to news reports Monday.