The large American supermarket chain, Raley’s Family of Fine Stores, which is comprised of 120 stores in California and Nevada, became the target of a “complex criminal cyber-attack.” The company stated that they started an investigation on the attack and no customer data was leaked, but did not disclose any details nor did it report any technical issues. However, the company’s website is still not functioning.
Raley’s was lucky: in April a similar network of stores, Schnucks (in St. Louis) was attacked. As a result of this attack, thieves stole 2.4 million credit card numbers belonging to customers from 79 out of the 100 Schnucks stores. A series of investigations apparently started in December and continued until late March, lead by Mandiant. On March 15th the company received the news that about a dozen people were affected by fraudulent activities on their credit cards after shopping in Schnucks, while Mandiant discovered a surplus of malware planted within the corporate infrastructure of the store, which was the cause of the data theft.
What is even more remarkable about this attack is the fact that those who carried it out tried to use disclosure to their advantage. Even while Mandiant was investigating the case, several customers of Schnucks were contacted by people who claimed to be looking into the incident and asked for additional personal information. It is unknown how effective this trick was, but many angry customers filed charges against the company.
In May, a similar disaster affected another major shopping network, MAPCO. The attackers apparently managed to get through to the company’s processing system and compromised the data of customers’ credit and debit cards. The amount of stolen card numbers is unknown, but the attackers surely used malicious software to carry out their assault.
Naturally, we may compare these attacks to large-scale hacking campaigns like Winnti, RedOctober and NetTraveler. In these hacking incidents, the criminals also tried to break into the corporate infrastructure of various companies (and were successful), but the ultimate goals of the attackers were quite different. The individuals behind Winnti, RedOctober and NetTraveller were interested, first of all, in intellectual property and real industrial cyber espionage.
When attacking retail networks, the attackers searched for civilian billing information. Both online and offline retailers process the payment data of their customers and store this information in computer systems that are vulnerable to all sorts of online thieves.
Raley’s, MAPCO and Schnucks all issued press releases to assure customers they did everything possible to increase the security level of their systems. But it is fair enough to assume that before the attacks took place, the level of protection being offered to customers was not high enough to protect the internal infrastructure of the companies and keep users’ data from being stolen.