ST. LOUIS — Up to 2.4 million credit cards and debit cards used by customers at Schnucks grocery stores in four states might have been compromised over a three-month period, the suburban St. Louis chain said Monday.
Schnucks Markets Inc. for the first time outlined the potential breadth of the fraud that came to light last month. Many customers have reported fraudulent charges, some in the thousands of dollars.
The grocery chain contacted police and the FBI after learning of the fraud and hired a private investigation firm. It was determined that the breach dated to December.
Schnucks said its investigator, the Virginia-based cyber-security firm Mandiant, on March 28 identified Malware that would allow an attacker to access card numbers. The company's information technology unit and Mandiant completed security enhancements by March 30, prompting Schnucks to call the problem "found and contained."
No arrests have been made. A spokeswoman for the FBI did not immediately respond to a message seeking comment.
Chairman and CEO Scott Schnuck apologized to customers for the breach.
"Over the years, technology has helped us deliver superior customer service, but it also introduces risks that we have actively worked to manage through compliance audits, encryption technology and various other security measures," Schnuck said in the statement.
Many customers have questioned why they weren't informed earlier. Some have said they'll never again shop at Schnucks.
Schnucks said it delayed offering details until the facts of the breach were more clear.
"From the outset, we have been communicating reliable facts and useful information as they became available," the statement said.
The majority of Schnucks stores are in the St. Louis area, but it operates in five states: Missouri, Illinois, Iowa, Indiana and Wisconsin. The company said 79 of its 100 stores were affected by the breach. Six of the affected stores, all in Illinois, operate under the Hilander name.
A list of affected stores is on the company's website, www.schnucks.com. It includes 50 St. Louis-area stores on the Missouri side; seven on the Illinois side of the St. Louis area; 16 others in Illinois; three others in Missouri (Cape Girardeau, Columbia and Jefferson City); two in Indiana (Evansville and Newburgh); and one in Iowa (Bettendorf). No stores were affected in Wisconsin.
Investigators determined that the breach involved only card numbers and expiration dates, not the cardholder's name, address and other identifying information, the statement said.
"Customers have asked me if it is safe to shop at Schnucks," Scott Schnuck said. "Yes, we believe it is, and we will work hard to keep it that way."
Schnucks warned that even though the problem was contained by the end of March, new fraud could show up. "Groups who steal credit cards from merchants will often wait and then sell the stolen credit cards in batches over time," the company said.
It urged customers to watch their accounts or contact the issuer of the card, who can monitor activity or issue a new card. Schnucks said it has also reached out to card issuers.